×
Programming

Eric Raymond Shares 'Code Archaeology' Tips, Urges Bug-Hunts in Ancient Code (itprotoday.com) 109

Open source guru Eric Raymond warned about the possibility of security bugs in critical code which can now date back more than two decades -- in a talk titled "Rescuing Ancient Code" at last week's SouthEast Linux Fest in North Carolina. In a new interview with ITPro Today, Raymond offered this advice on the increasingly important art of "code archaeology". "Apply code validators as much as you can," he said. "Static analysis, dynamic analysis, if you're working in Python use Pylons, because every bug you find with those tools is a bug that you're not going to have to bleed through your own eyeballs to find... It's a good thing when you have a legacy code base to occasionally unleash somebody on it with a decent sense of architecture and say, 'Here's some money and some time; refactor it until it's clean.' Looks like a waste of money until you run into major systemic problems later because the code base got too crufty. You want to head that off...."

"Documentation is important," he added, "applying all the validators you can is important, paying attention to architecture, paying attention to what's clean is important, because dirty code attracts defects. Code that's difficult to read, difficult to understand, that's where the bugs are going to come out of apparent nowhere and mug you."

For a final word of advice, Raymond suggested that it might be time to consider moving away from some legacy programming languages as well. "I've been a C programmer for 35 years and have written C++, though I don't like it very much," he said. "One of the things I think is happening right now is the dominance of that pair of languages is coming to an end. It's time to start looking beyond those languages for systems programming. The reason is we've reached a project scale, we've reached a typical volume of code, at which the defect rates from the kind of manual memory management that you have to do in those languages are simply unacceptable anymore... think it's time for working programmers and project managers to start thinking about, how about if we not do this in C and not incur those crazy downstream error rates."

Raymond says he prefers Go for his alternative to C, complaining that Rust has a high entry barrier, partly because "the Rust people have not gotten their act together about a standard library."
Java

Survey: JavaScript is the Most-Used Language, But Java is the Most Popular (sdtimes.com) 136

An anonymous reader quotes SD Times Java remains the most popular primary programming language, but JavaScript is the most used programming language overall. That is according to a recently released report from JetBrains on the State of the Developer Ecosystem in 2018. The report surveyed more than 6,000 developers from 17 countries to reveal the trends driving the world of coding this year... According to the report, Java, JavaScript and Python are the top three programming languages this year, and Go is the most promising language. Twenty percent of developers use multiple versions of Go at the same time, and 26 percent set up their GOPATH per project. The top Go frameworks include Gin, Beego, Echo and Buffalo.

While 38 percent of developers have no plans to adopt any new languages this year, the top languages respondents have started to learn in the last year include Python, JavaScript, Java, Go, TypeScript and Kotlin... Eighty-two percent of respondents use IDEs while 69 percent use editors. Of those using IDEs and editors, only 12 percent cited that they don't customize their IDE/editors. In addition, 77 percent use the dark theme for their editor or IDE... Some fun facts about developers include 77 percent listen to music while they are coding; the top music to listen to includes electronic, pop and rock; 53 percent sleep seven to eight hours a night; 85 percent code on the weekends; and 57 percent prefer coffee over tea.

Java

Oracle Lays Off Java Mission Control Team After Open Sourcing Product (infoq.com) 65

Kesha Williams, reporting for InfoQ (shared by numerous readers): The Java Mission Control suite of tools, also known as JMC, was open sourced by Oracle on May 3rd to much applause and excitement from the Java development community. The excitement was replaced with unease as sources reported that the entire JMC development team had been laid off. JMC is a well-known profiling and diagnostics tools suite for the Java Virtual Machine (JVM) primarily targeting systems running in production. It is used by developers to gather detailed low-level information about how the JVM and the Java application are behaving. The official open source announcement came on May 5th from Marcus Hirt, a member of the Java Platform Group at Oracle. "Just wanted to say thank you to everyone who helped open source Java Mission Control in the relatively short period of time it was done in." According to Hirt, the intent behind open sourcing JMC was to provide the community with the opportunity to add new features and capabilities to the tools suite.
Java

Oracle Calls Java Serialization 'A Horrible Mistake', Plans to Dump It (infoworld.com) 198

An anonymous reader quotes InfoWorld: Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes... Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

To replace the current serialization technology, a small serialization framework would be placed in the platform once records, the Java version of data classes, are supported. The framework could support a graph of records, and developers could plug in a serialization engine of their choice, supporting formats such as JSON or XML, enabling serialization of records in a safe way. But Reinhold cannot yet say which release of Java will have the records capability. Serialization was a "horrible mistake" made in 1997, Reinhold says. He estimates that at least a third -- maybe even half -- of Java vulnerabilities have involved serialization. Serialization overall is brittle but holds the appeal of being easy to use in simple use cases, Reinhold says.

Security

After Equifax Breach, Major Firms Still Rely on Same Flawed Software (zdnet.com) 62

Last year's massive data breach at Equifax should have been a wake-up call for the entire industry. But a year after the patches were released, some of the world's wealthiest companies are still using, or have since introduced the same flawed software. From a report: Thousands of companies have downloaded vulnerable versions of Apache Struts, a popular web server software used across the Fortune 100 to provide web applications in Java. It's often used to power both front- and back-end applications -- including Equifax's public website. The bug used in the Equifax hack was fixed in March 2017, but Equifax never installed the patches. Since those patches were made available, data seen by ZDNet shows that least 10,800 companies downloaded vulnerable versions of the software. The data, provided by Sonatype, an open-source automation firm, shows that over half of the Fortune Global 100 are using vulnerable versions of the software. Although the firm wouldn't name the affected companies, a quarter of them are based in North America. The data showed that seven are tech giants, and 15 are financial services or insurance firms.
Books

New Book Describes 'Bluffing' Programmers in Silicon Valley (theguardian.com) 292

Long-time Slashdot reader Martin S. pointed us to this an excerpt from the new book Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley by Portland-based investigator reporter Corey Pein.

The author shares what he realized at a job recruitment fair seeking Java Legends, Python Badasses, Hadoop Heroes, "and other gratingly childish classifications describing various programming specialities." I wasn't the only one bluffing my way through the tech scene. Everyone was doing it, even the much-sought-after engineering talent. I was struck by how many developers were, like myself, not really programmers, but rather this, that and the other. A great number of tech ninjas were not exactly black belts when it came to the actual onerous work of computer programming. So many of the complex, discrete tasks involved in the creation of a website or an app had been automated that it was no longer necessary to possess knowledge of software mechanics. The coder's work was rarely a craft. The apps ran on an assembly line, built with "open-source", off-the-shelf components. The most important computer commands for the ninja to master were copy and paste...

[M]any programmers who had "made it" in Silicon Valley were scrambling to promote themselves from coder to "founder". There wasn't necessarily more money to be had running a startup, and the increase in status was marginal unless one's startup attracted major investment and the right kind of press coverage. It's because the programmers knew that their own ladder to prosperity was on fire and disintegrating fast. They knew that well-paid programming jobs would also soon turn to smoke and ash, as the proliferation of learn-to-code courses around the world lowered the market value of their skills, and as advances in artificial intelligence allowed for computers to take over more of the mundane work of producing software. The programmers also knew that the fastest way to win that promotion to founder was to find some new domain that hadn't yet been automated. Every tech industry campaign designed to spur investment in the Next Big Thing -- at that time, it was the "sharing economy" -- concealed a larger programme for the transformation of society, always in a direction that favoured the investor and executive classes.

"I wasn't just changing careers and jumping on the 'learn to code' bandwagon," he writes at one point. "I was being steadily indoctrinated in a specious ideology."
Java

Oracle Sets End Date for Business Java 8 Updates (infoworld.com) 85

An anonymous reader quotes InfoWorld: Further clarifying its ongoing support plans for Java SE 8, Oracle will require businesses to have a commercial license to get updates after January 2019. In an undated bulletin about the revision, Oracle said public updates for Java SE 8 released after January 2019 will not be available for business, commercial, or production use without a commercial license. However, public updates for Java SE 8 will be available for individual, personal use through at least the end of 2020.

Oracle advises enterprises to review the Oracle Java SE Support Roadmap to assess support requirements to migrate to a later release or obtain a commercial license... Oracle advises developers to review roadmaps for Java SE 8 and beyond and take appropriate action based on their application and its distribution model.

Security

Atlanta Projected To Spend At Least $2.6 Million on Ransomware Recovery (zdnet.com) 100

Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price. But the ransom was never paid, said Atlanta city spokesperson Michael Smith in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker. According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack. Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management.
Security

Atlanta, Hit by Ransomware Attack, Also Fell Victim To Leaked NSA Exploits (zdnet.com) 75

Zack Whittaker, reporting for ZDNet: It's been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services. Mayor Keisha Lance Bottoms said in a press conference Monday that the city's government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation. Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers.

[...] But according to one security firm, last week's cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak. New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city's network was silently infected last year with leaked exploits developed by the National Security Agency. The cybersecurity firm's founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

Google

Oracle Wins Revival of Billion-Dollar Case Against Google (bloomberg.com) 332

Google could owe Oracle billions of dollars after an appeals court said it didn't have the right to use the Oracle-owned Java programming code in its Android operating system on mobile devices. From a report: Google's use of Java shortcuts to develop Android went too far and was a violation of Oracle's copyrights, the U.S. Court of Appeals for the Federal Circuit ruled. The case was remanded to a federal court in California to determine how much the Alphabet unit should pay.

The dispute is over pre-written directions known as application program interfaces, or APIs, which can work across different types of devices and provide the instructions for things like connecting to the internet or accessing certain types of files. By using the APIs, programmers don't have to write new code from scratch to implement every function in their software or change it for every type of device. The case has divided Silicon Valley for years, testing the boundaries between the rights of those who develop interface code and those who rely on it to develop software programs.

Java

Oracle Releases Java 10, Promises Much Faster Release Schedule (adtmag.com) 134

An anonymous reader quotes Application Development Trends: Oracle announced the general availability of Java SE 10 (JDK 10) this week. This release, which comes barely six months after the release of Java SE 9, is the first in the new rapid release cadence Oracle announced late last year. The new release schedule, which the company is calling an "innovation cycle," calls for a feature release every six months, update releases every quarter, and a long-term support (LTS) release every three years. Java 10 is a feature release that obsoletes Java 9. The next LTS release will be Java 11, expected in September. The next LTS version after that will be Java 17, scheduled for release in September 2021...

The six-month feature release cadence is meant to reduce the latency between major releases, explained is Sharat Chander, director of Oracle's Java SE Product Management group, said in a blog post. "This release model takes inspiration from the release models used by other platforms and by various operating-system distributions addressing the modern application development landscape," Chander wrote. "The pace of innovation is happening at an ever-increasing rate and this new release model will allow developers to leverage new features in production as soon as possible. Modern application development expects simple open licensing and a predictable time-based cadence, and the new release model delivers on both."

This release finally adds var to the Java language (though its use is limited to local variables with initializers or declared in a for-loop). It's being added "to improve the developer experience by reducing the ceremony associated with writing Java code, while maintaining Java's commitment to static type safety, by allowing developers to elide the often-unnecessary manifest declaration of local variable type."
Programming

Developers Love Trendy New Languages, But Earn More With Functional Programming: Stack Overflow's Annual Survey (arstechnica.com) 111

Stack Overflow has released the results of its annual survey of 100,000 developers, revealing the most-popular, top-earning, and preferred programming languages. ArsTechnica: JavaScript remains the most widely used programming language among professional developers, making that six years at the top for the lingua franca of Web development. Other Web tech including HTML (#2 in the ranking), CSS (#3), and PHP (#9). Business-oriented languages were also in wide use, with SQL at #4, Java at #5, and C# at #8. Shell scripting made a surprising showing at #6 (having not shown up at all in past years, which suggests that the questions have changed year-to-year), Python appeared at #7, and systems programming stalwart C++ rounded out the top 10.

These aren't, however, the languages that developers necessarily want to use. Only three languages from the most-used top ten were in the most-loved list; Python (#3), JavaScript (#7), and C# (#8). For the third year running, that list was topped by Rust, the new systems programming language developed by Mozilla. Second on the list was Kotlin, which wasn't even in the top 20 last year. This new interest is likely due to Google's decision last year to bless the language as an official development language for Android. TypeScript, Microsoft's better JavaScript than JavaScript comes in at fourth, with Google's Go language coming in at fifth. Smalltalk, last year's second-most loved, is nowhere to be seen this time around. These languages may be well-liked, but it looks as if the big money is elsewhere. Globally, F# and OCaml are the top average earners, and in the US, Erlang, Scala, and OCaml are the ones to aim for. Visual Basic 6, Cobol, and CoffeeScript were the top three most-dreaded, which is news that will surprise nobody who is still maintaining Visual Basic 6 applications thousands of years after they were originally written.

Programming

JavaScript Rules But Microsoft Programming Languages Are On the Rise (zdnet.com) 141

Microsoft languages seem to be hitting the right note with coders across ops, data science, and app development. From a report: JavaScript remains the most popular programming language, but two offerings from Microsoft are steadily gaining, according to developer-focused analyst firm RedMonk's first quarter 2018 ranking. RedMonk's rankings are based on pull requests in GitHub, as well as an approximate count of how many times a language is tagged on developer knowledge-sharing site Stack Overflow. Based on these figures, RedMonk analyst Stephen O'Grady reckons JavaScript is the most popular language today as it was last year. In fact, nothing has changed in RedMonk's top 10 list with the exception of Apple's Swift rising to join its predecessor, Objective C, in 10th place. The top 10 programming languages in descending order are JavaScript, Java, Python, C#, C++, CSS, Ruby, and C, with Swift and Objective-C in tenth.

TIOBE's top programming language index for March consists of many of the same top 10 languages though in a different order, with Java in top spot, followed by C, C++, Python, C#, Visual Basic .NET, PHP, JavaScript, Ruby, and SQL. These and other popularity rankings are meant to help developers see which skills they should be developing. Outside the RedMonk top 10, O'Grady highlights a few notable changes, including an apparent flattening-out in the rapid ascent of Google's back-end system language, Go.

Open Source

'Java EE' Has Been Renamed 'Jakarta EE' (i-programmer.info) 95

An anonymous reader quotes i-Programmer: The results are in for the vote on the new name for Java Enterprise Edition, and unsurprisingly the voters have chosen Jakarta EE. The renaming has to happen because Oracle refused to let the name Java be used. The vote was to choose between two options - 'Jakarta EE' and 'Enterprise Profile'. According to Mike Milinkovich, executive director at the Eclipse Foundation, almost 7,000 people voted, and over 64% voted in favour of Jakarta EE. The other finalist, "Enterprise Profile," came in at just 35.6% of the votes when voted ended last Friday.
"Other Java projects have also been renamed in Eclipse," notes SD Times. "Glassfish is now Eclipse Glassfish. The Java Community Process is now the Eclipse EE.next Working Group, and Oracle development management is now Eclipse Enterprise for Java Project Management Committee."
Education

The College Board Pushes To Make Computer Science a High School Graduation Requirement 132

theodp writes: Education Week reports that the College Board wants high schools to make it mandatory for students to take computer science before they graduate. The call came as the College Board touted the astonishing growth in its Advanced Placement (AP) computer science courses, which was attributed to the success of its new AP Computer Science Principles (AP CSP) class, a "lite" alternative to the Java-based AP CS A course. "The College Board is willing to invest serious resources in making this viable -- much more so than is in our economic interest to do so," said College Board President David Coleman. "To governors, legislators, to others -- if you will help us make this part of the life of schools, we will help fund it."

Just two days before Coleman's funds-for-compulsory-CS offer, Education Week cast a skeptical eye at the tech sector's role in creating a tremendous surge of enthusiasm for K-12 CS education. Last spring, The College Board struck a partnership with the Chan Zuckerberg Initiative with a goal of making AP CSP available in every U.S. school district. Also contributing to the success of the College Board's high school AP CS programs over the years has been tech-bankrolled Code.org, as well as tech giants Microsoft and Google. The idea of a national computer programming language requirement for high school students was prominently floated in a Google-curated Q&A session with President Obama (video) following the 2013 State of the Union address.
Google

The Insane Amount of Backward Compatibility in Google Maps (tnhh.net) 73

Huan Truong, a software developer, writes in a blog post: There is always an unlikely app that consistently works on all of my devices, regardless of their OS and how old they are: Google Maps. Google Maps still works today on Android 1.0, the earliest version available (Maps actually still works with some of the beta versions before that). I believe Maps was only a prototype app in Android 1.0. If I recall correctly, Google didn't have any official real device to run Android 1.0. That was back all the way in 2007. But then, you say, Android is Google's OS for Pete's sake. How about iOS? Google Maps for iOS, version 1.0, released late 2012, still works just fine. That was the first version of Google Maps ever released as a standalone app after Apple ditched Google's map solution on iOS. But wait... there is more. There is native iOS Maps on iOS 6, which was released in early 2012, and it still works. But that's only 6 years ago. Let's go hardcore. How about Google Maps on Java phones (the dumb bricks that run Java "midlets" or whatever the ancient Greeks call it)? It works too. [...] The Palm OS didn't even have screenshot functionality. But lo and behold, Google Maps worked.
Programming

Employers Want JavaScript, But Developers Want Python, Survey Finds (infoworld.com) 222

An anonymous reader quotes InfoWorld: When it comes to which programming languages are in demand by employers, JavaScript, Java, Python, C++, and C -- in that order -- came out on top in a recent developer survey. Developers, however, want to learn languages like Python, Go, and Kotlin. A survey of developers by technical recruiter HackerRank, conducted in October, found no gap between languages employers want and what developers actually know, with JavaScript barely edging out Java...

HackerRank also found gaps in JavaScript frameworks between what employers want and what developers know. The React JavaScript UI library had the biggest delta between employers and developers, with about 37 percent of employers wanting React skills but only about 19 percent of developers having them... [But] problem-solving skills are the most-sought by employers, more than language proficiency, debugging, and system design.

The survey involved 39,441 developers, and concluded that "Python ruled among all age groups," according to Application Development Trends, "except for those 55 years or older, who narrowly prefer C."
Programming

C Programming Language 'Has Completed a Comeback' (infoworld.com) 243

InfoWorld reports that "the once-declining C language" has "completed a comeback" -- citing its rise to second place in the Tiobe Index of language popularity, the biggest rise of any language in 2017. An anonymous reader quotes their report: Although the language only grew 1.69 percentage points in its rating year over year in the January index, that was enough beat out runners-up Python (1.21 percent gain) and Erlang (0.98 percent gain). Just five months ago, C was at its lowest-ever rating, at 6.477 percent; this month, its rating is 11.07 percent, once again putting it in second place behind Java (14.215 percent) -- although Java dropped 3.05 percent compared to January 2017. C's revival is possibly being fueled by its popularity in manufacturing and industry, including the automotive market, Tiobe believes...

But promising languages such as Julia, Hack, Rust, and Kotlin were not able to reach the top 20 or even the top 30, Tiobe pointed out. "Becoming part of the top 10 or even the top 20 requires a large ecosystem of communities and evangelists including conferences," said Paul Jansen, Tiobe managing director and compiler of the index. "This is not something that can be developed in one year's time."

For 2017 Tiobe also reports that after Java and C, the most popular programming languages were C++, Python, C#, JavaScript, Visual Basic .Net, R, PHP, and Perl.

The rival Pypl Popularity of Programming Language index calculates that the most popular languages are Java, Python, PHP, JavaScript, C#, C++, C, R, Objective-C, and Swift.
Programming

2017: The Year in Programming Languages (infoworld.com) 117

InfoWorld writes that 2017 "presented a mixed bag of improvements to both long-established and newer programming languages." An anonymous reader quotes their report: Developers followed a soap opera over Java, with major disagreements over a modularization plan for standard Java and, in a surprising twist, Oracle washing its hands of the Java EE enterprise variant. Microsoft's TypeScript, meanwhile, has increased in popularity by making life easier for developers looking for an alternative to JavaScript. Microsoft also launched Q#, a language for quantum computing...

In web development, developers received a lot of help building with JavaScript itself or with JavaScript alternatives. Among the tools released in 2017 were: Google's Angular 5 JavaScript framework, released in November, featuring a build optimizer and supports progressive web apps and use of Material Design components... And React, the JavaScript UI library from Facebook, went to Version 16 in September, featuring a rewriting of the React core to boost responsiveness for complex applications...

TypeScript was not the only JavaScript alternative making waves this year. For web developers who would rather use Google's Go (Golang) language instead of JavaScript, the beta Joy compiler introduced in December promises to allow cross-compilation. Another language that offers compilation to JavaScript -- although it began on the JVM -- is Kotlin, which has experienced rising fortunes this year. It was boosted considerably by Google endorsing it in May for building Android applications, which has been chiefly the domain of Java...

2017 also saw the release of the long-awaited C++ 17.

Another 2017 memory: Eric Raymond admitting that he hates C++, and predicting that Go (but not Rust) will eventually replace C -- if not a new language like Cx.
Bitcoin

In-Store WiFi Provider Used Starbucks Website To Generate Monero Coins (hackread.com) 30

hjf writes: On December 2nd, Twitter user Noah Dinkin tweeted a screenshot that showed that Starbucks' in-store "free WiFi" is using their captive portal to briefly mine the Monero cryptocurrency during the 10-second delay splash screen. Starbucks has not yet responded to the tweet, and neither has their wifi provider, Fibertel Argentina. While Dinkin mentioned that the culprit behind the scheme could be Starbucks' in-store wifi provider, it's possible that a cybercriminal could have hacked their website to place CoinHive code secretly. HackRead notes that "just a few days ago researchers identified more than 5,000 sites that were hijacked to insert CoinHive code, yet Starbucks' direct involvement is still unclear." CoinHive is a company that produces a JavaScript miner for the Monero Blockchain that you can embed in your website. Any coins mined by the browser are sent to the owner of the website.

Slashdot Top Deals