According to The Register, "A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug." From the report: Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in this month's Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December. Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features -- specifically, PCID -- to reduce the performance hit. Similar operating systems, such as Apple's 64-bit macOS, will also need to be updated -- the flaw is in the Intel x86 hardware, and it appears a microcode update can't address it. It has to be fixed in software at the OS level, or buy a new processor without the design blunder. Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month, perhaps in time for Microsoft's Patch Tuesday next week. Indeed, patches for the Linux kernel are available for all to see but comments in the source code have been redacted to obfuscate the issue. The report goes on to share some details of the flaw that have surfaced. "It is understood the bug is present in modern Intel processors produced in the past decade," reports The Register. "It allows normal user programs -- from database applications to JavaScript in web browsers -- to discern to some extent the contents of protected kernel memory. The fix is to separate the kernel's memory completely from user processes using what's called Kernel Page Table Isolation, or KPTI."

An anonymous reader writes: The i-Programmer site revisits one of its top stories of 2017, about researchers who used data from GitHub for a large-scale empirical investigation into static typing versus dynamic typing. The team investigated 20 programming languages, using GitHub code repositories for the top 50 projects written in each language, examing 18 years of code involving 29,000 different developers, 1.57 million commits, and 564,625 bug fixes.

The results? "The languages with the strongest positive coefficients - meaning associated with a greater number of defect fixes are C++, C, and Objective-C, also PHP and Python. On the other hand, Clojure, Haskell, Ruby and Scala all have significant negative coefficients implying that these languages are less likely than average to result in defect fixing commits."

Or, in the researcher's words, "Language design does have a significant, but modest effect on software quality. Most notably, it does appear that disallowing type confusion is modestly better than allowing it, and among functional languages static typing is also somewhat better than dynamic typing."

Slashdot's most-visited story of 2017 was Google Has Demonstrated a Successful Practical Attack Against SHA-1, which was visited more than 212,000 times since it was published in Feburary.

And our second- and third-most popular stories also came in February -- both just one week before.

FCC Chairman Wants It To Be Easier To Listen To Free FM Radio On Your Smartphone and IT Decisions Makers and Executives Don't Agree On Cyber Security Responsibility.

Keep reading for a complete list of Slashdot's 10 most-visited stories of 2017.

According to a report by Korean outlet ETnews (via The Investor), Apple placed an order for 180 million to 200 million OLED displays from Samsung's manufacturing branch, Samsung Display, for the next round of iPhones. Each display is estimated to cost $110, which could mean the deal is worth up to $22 billion. CNET reports: The recently released iPhone X was Apple's first phone to feature an OLED display, rather than an LCD panel. Samsung, on the other hand, has been using OLED displays in its phones for quite some time. Currently Samsung holds a near monopoly on the world's manufacturing of OLED screens. As a result, Apple had little choice but to turn to its rival for this type of screen. This isn't the first deal of its kind. Earlier this year it was reported that Apple bought 60 million OLED displays from Samsung, apparently for what would later become the iPhone X. According to the report, Apple's next order is up to four times larger than this previous order. Demand is so high that Samsung considered opening a new manufacturing plant to process Apple's order, the report said, but has been able to manufacture enough of the panels to fill Apple's order.

An anonymous reader writes: Canonical has temporarily pulled the download links for Ubuntu 17.10 "Artful Aardvark" from the Ubuntu website due to ongoing reports of some laptops finding their BIOS corrupted after installing this latest Ubuntu release. The issue is appearing most frequently with Lenovo laptops but there are also reports of issues with other laptop vendors as well. This issue appears to stem from the Intel SPI driver in the 17.10's Linux 4.13 kernel corrupting the BIOS for a select number of laptop motherboards. Canonical is aware of this issue and is planning to disable the Intel SPI drivers in their kernel builds. Canonical's hardware enablement team has already verified this works around the problem, but doesn't provide any benefit if your BIOS is already corrupted.

An anonymous reader writes: Just days before voting to repeal net neutrality regulations, FCC chairman Ajit Pai introduced a comedy video at the annual gathering of the Federal Communications Bar Association -- and it offered its own self-disparaging version of Pai's tenure as a Verizon attorney in 2003. "We want to brainwash and groom a Verizon puppet to install as FCC chairman," says a real-world Verizon executive appearing in the videotaped skit. "That sounds awesome," Pai responds.

And the day of the vote Pai also appeared in another trying-to-be-funny video on the conservative site The Daily Caller demonstrating "seven things you can still do on the internet after net neutrality." In the first image he's holding a fidget spinner and dressed as Santa Claus, and the unmistakably patronizing video reminds critics that they can still upload photos of their meals to Instagram and "post photos of cute animals, like puppies." He also demonstrated that net neutrality critics can still stay part of their favorite fan communities -- by showing himself holding a light saber. And this unexpectedly drew the wrath of Star Wars actor Mark Hamill, who responded on Twitter by calling him "Ajit 'Aren't I Precious?' Pai."

Hamill also added that "you are profoundly unworthy 2 wield a lightsaber. A Jedi acts selflessly for the common man, NOT lie 2 enrich giant corporations." When U.S. Senator Ted Cruz responded -- likening government overreach to Darth Vader and urging Hamill to "reject the dark side" -- Hamill responded again, complaining that the Senator was "smarm-splaining." Hamill also added, "you'd have more credibility if you spelled my name correctly. I mean IT'S RIGHT THERE IN FRONT OF YOU! Maybe you're just distracted from watching porn at the office again."
The Houston Chronicle reports that the newest meme on Twitter is now Pai's over-sized coffee mug stamped with the logo for Reese's Peanut Butter cups, "which he occasionally sipped from during the widely-criticized reversal." The Dangerous Minds site notes that some angry net neutrality supporters have even taken their complaints to Reese's Facebook page, adding "Perhaps these protester's pleas to the candy company are simply a misguided hope that someone, ANYONE will listen to their frustration."

"Clearly, the FCC wasn't listening to the estimated 83% of Americans who support net neutrality."

The San Francisco Bay Area has more car thefts than any region in America, according to SFGate.com. A National Insurance Crime Bureau report found that between 2012 and 2014, there were an average of 30,000 car thefts a year just in the cities of San Francisco, Oakland and Hayward. But one theft took a strange turn. An anonymous reader quotes their report: Cierra and Josh Barton purchased a new Honda HR-V at the beginning of summer. It was stolen while parked in front of their Livermore apartment complex at the end of August. Four months later, Hayward police called the Bartons to say they had recovered the vehicle... What they found, to their surprise, was a car in relatively good shape -- a few dents, a rattling hood. But in the back and front windows were Lyft stickers, Cierra Barton said.

The odometer had spiked from 2,000 miles to more than 13,000. And in the back seat, Cierra said she found a pillow, a jacket and a stuffed animal. "It wasn't burned out, it wasn't gutted, but it appeared to be have been used as a Lyft," she said. That, Cierra added, was even worse than she imagined. "Not only did someone steal our car, they made money off it!"
Lyft says that "Given the information provided, we are unable to match this vehicle to any Lyft accounts in the area," adding they "stand ready to assist law enforcement in any investigation."

An anonymous reader writes: While many of you have likely heard of the "RADV" open-source Vulkan driver, it's been a community-written driver up to this point in the absence of AMD's official, cross-platform Vulkan driver being open-source. That's now changed with AMD now open-sourcing their official Vulkan driver. The code drop is imminent and they are encouraging the use of it for quick support of new AMD hardware, access to the Radeon GPU Profiler, easy integration of AMD Vulkan extensions, and enabling third-party extensions. For now at least it does provide better Vulkan performance than RADV but the RADV developers have indicated they plan to continue development of their Mesa-based Vulkan driver.

Several popular interpreted programming languages are affected by severe vulnerabilities that expose apps built on these languages to attacks, according to research presented at the Black Hat Europe 2017 security conference. An anonymous reader writes: The author of this research is IOActive Senior Security Consultant Fernando Arnaboldi, who says he used an automated software testing technique named fuzzing to identify vulnerabilities in the interpreters of five of today's most popular programming languages: JavaScript, Perl, PHP, Python, and Ruby.

Fuzzing involves providing invalid, unexpected, or random data as input to a software application. The researcher created his own fuzzing framework named XDiFF that broke down programming languages per each of its core functions and fuzzed each one for abnormalities. His work exposed severe flaws in all five languages, such as a hidden flaw in PHP constant names that can be abused to perform remote code execution, and undocumented Python methods that can be used for OS code execution. Arnaboldi argues that attackers can exploit these flaws even in the most secure applications built on top of these programming languages.

WheezyJoe writes: Classic Shell is a free Windows application that for years has replaced Microsoft's Start Screen or Start Menu with a highly configurable, more familiar non-tile Start menu. Yesterday, the lead developer released what he said would be the last version of Classic Shell. Citing other interests and the frequency at which Microsoft releases updates to Windows 10, as well as lagging support for the Win32 programming model, the developer says that he won't work on the program anymore. The application's source code is available on SourceForge, so there is a chance others may come and fork the code to continue development. There are several alternatives available, some pay and some free (like Start10 and Start Is Back++), but Classic Shell has an exceptionally broad range of tweaks and customizability.

An anonymous reader quotes Bleeping Computer: PHP got a whole lot more secure this week with the release of the 7.2 branch, a version that improves and modernizes the language's support for cryptography and password hashing algorithms.

Of all changes, the most significant is, by far, the support for Argon2, a password hashing algorithm developed in the early 2010s. Back in 2015, Argon2 beat 23 other algorithms to win the Password Hashing Competition, and is now in the midst of becoming a universally recognized Internet standard at the Internet Engineering Task Force (IETF), the reward for winning the contest. The algorithm is currently considered to be superior to Bcrypt, today's most widely used password hashing function, in terms of both security and cost-effectiveness, and is also slated to become a favorite among cryptocurrencies, as it can also handle proof-of-work operations.

The other major change in PHP 7.2 was the removal of the old Mcrypt cryptographic library from the PHP core and the addition of Libsodium, a more modern alternative.

14 terabytes of "highly confidential" data about 5,120 financial aid applications over seven years were exposed in a breach at Stanford's Graduate School of Business -- proving that the school "misled thousands of applicants and donors about the way it distributes fellowship aid and financial assistance to its MBA students," reports Poets&Quants. The information was unearthed by a current MBA student, Adam Allcock, in February of this year from a shared network directory accessible to any student, faculty member or staffer of the business school. In the same month, on Feb. 23, the student reported the breach to Jack Edwards, director of financial aid, and the records were removed within an hour of his meeting with Edwards. Allcock, however, says he spent 1,500 hours analyzing the data and compiling an 88-page report on it...

Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any MBA program in the world. That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds.
Half the school's students are awarded financial aid, and though Stanford always insisted it was awarded based only on need, the report concluded the school had been "lying to their faces" for more than a decade, also identifying evidece of "systemic biases against international students."

Besides the embarrassing exposure of their financial aid policies, there's another obvious lesson, writes Slashdot reader twentysixV. "It's actually way too easy for users to improperly secure their files in a shared file system, especially if the users aren't particularly familiar with security settings." Especially since Friday the university also reported another university-wide file-sharing platform had exposed "a variety of information from several campus offices, including Clery Act reports of sexual violence and some confidential student disciplinary information from six to 10 years ago."

"A man with an anti-media agenda was arrested in Oakland after he flew a drone over two different stadiums to drop leaflets" last Sunday, writes Slashdot reader execthis. A local CBS station reports: According to investigators, [55-year-old Tracy] Mapes piloted his drone over Levi's Stadium during the second quarter of the 49ers-Seattle game and released a load of pamphlets. He then quickly landed the drone, loaded it up and drove over to Oakland. He flew a similar mission over the Raiders-Broncos game. Santa Clara Police Lt. Dan Moreno said after Mapes was apprehended he defended the illegal action as a form of free speech.
USA Today reports there's now also an ongoing federal investigation "because the Federal Aviation Administration prohibits the flying of drones within five miles of an airport. Both Levi's Stadium and Oakland Coliseum are within that range."

"The San Francisco Chronicle added that the drone was a relatively ineffective messenger because 'most of the drone-dropped leaflets were carried away by the wind.'"

If you tried to start a car that's been sitting in a garage for decades, you might not expect the engine to respond. But a set of thrusters aboard the Voyager 1 spacecraft successfully fired up Wednesday after 37 years without use. NASA announces: Voyager 1, NASA's farthest and fastest spacecraft, is the only human-made object in interstellar space, the environment between the stars. The spacecraft, which has been flying for 40 years, relies on small devices called thrusters to orient itself so it can communicate with Earth. These thrusters fire in tiny pulses, or "puffs," lasting mere milliseconds, to subtly rotate the spacecraft so that its antenna points at our planet. Now, the Voyager team is able to use a set of four backup thrusters, dormant since 1980. "With these thrusters that are still functional after 37 years without use, we will be able to extend the life of the Voyager 1 spacecraft by two to three years," said Suzanne Dodd, project manager for Voyager at NASA's Jet Propulsion Laboratory, Pasadena, California.

An anonymous reader writes: Recently completed Linux distro benchmarks by Phoronix show Intel's Clear Linux is the most powerful on x86 hardware. A six-way, enterprise-focused Linux distro comparison show Clear Linux being the fastest with a Core i9 and Xeon systems, easily beating CentOS, openSUSE, and Ubuntu in a majority of the tests.

When doing an 11-way Linux distro boot test they also found Clear Linux easily booted the fastest followed by the Clear-inspired Solus distribution. Clear Linux does work on AMD hardware and works on Intel CPUs back to Sandy Bridge but leverages its speed from optimized compiler settings, specially built libraries capable of AVX instructions on supported systems, a specially tuned kernel configuration, and other optimizations/patches.
Debian 9.2 and Fedora 27 "ended up being dropped from this article due to data overload," the article concludes, "and those distributions really not offering anything really different in terms of the performance."

From a report: Instacart shoppers and drivers -- the people who gather your groceries and deliver them to you after you order via the Instacart app -- are on strike. While independent contractors can't technically strike, via a Facebook group some of the company's thousands of employees have organized a "no delivery day" in the hopes of getting higher wages, the San Francisco Chronicle reports. The strike is only taking place in a few of the 154 cities nationwide that Instacart operates in. The action may be small, but the grievances are big. While Instacart, the 5-year-old San Francisco startup, is valued at $3.4 billion, it allegedly pays its workers as little as $1 per order. Ars Technica has a great breakdown of all the issues surrounding how Instacart employees get paid and it's complex, with three different income streams coming together Voltron-like to form a wage. The result, though, is that some shoppers are being paid less than the federal minimum wage, like a Jackson, Miss., worker who put in a 19-hour week in Jackson, Mississippi, that paid out $37.75 (roughly $2/hour). That's far below the $14/hour wage that Ars Technica says Instacart is targeting.

Michael Larabel, writing for Phoronix: Intel is planning to end "legacy BIOS" support in their new platforms by 2020 in requiring UEFI Class 3 or higher. Making rounds this weekend is a slide deck from the recent UEFI Plugfest. Brian Richardson of Intel talked about the "last mile" barriers to removing legacy BIOS support from systems. By 2020, they will be supporting no less than UEFI Class 3, which means only UEFI support and no more legacy BIOS or CSM compatibility support mode. But that's not going to force on UEFI Secure Boot unconditionally: Secure Boot enabled is considered UEFI Class 3+. Intel hasn't removed legacy BIOS / CSM support yet due to many customers' software packages still relying upon legacy BIOS, among other reasons. Removing the legacy BIOS support will mitigate some security risks, needs less validation by vendors, allows for supporting more modern technologies, etc.

An anonymous reader quotes the New York Daily News: Authorities in Texas served Apple with a search warrant in order to gain access to the Sutherland Springs church shooter's cellphone files. Texas Ranger Kevin Wright obtained the warrant last week, according to San Antonio Express-News.

Investigators are hoping to gain access to gunman Devin Patrick Kelley's digital photos, messages, calls, videos, social media passwords, address book and data since January 2016. Authorities also want to know what files Kelley stored in his iCloud account.
Fast Company writes that "it's very likely that Apple will give the Rangers the same answer it gave the FBI in 2016 (in effect, hell no!)... That may be why, in the Texas case, the FBI and the Rangers didn't even bother calling Apple, but rather went straight to court."

An anonymous reader shares a report from Bloomberg, explaining how Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. Editor Drake Bennett highlights the battle between an upstart called HiQ and LinkedIn, who are fighting for your lucrative professional identity. Here's an excerpt from the report: A small number of the world's most valuable companies collect, control, parse, and sell billions of dollars' worth of personal information voluntarily surrendered by their users. Google, Facebook, Amazon, and Microsoft -- which bought LinkedIn for $26.2 billion in 2016 -- have in turn spawned dependent economies consisting of advertising and marketing companies, designers, consultants, and app developers. Some operate on the tech giants' platforms; some customize special digital tools; some help people attract more friends and likes and followers. Some, including HiQ, feed off the torrents of information that social networks produce, using software bots to scrape data from profiles. The services of the smaller companies can augment the offerings of the bigger ones, but the power dynamic is deeply asymmetrical, reminiscent of pilot fish picking food from between the teeth of sharks. The terms of that relationship are set by technology, economics, and the vagaries of consumer choice, but also by the law. LinkedIn's May 23 letter to HiQ wasn't the first time the company had taken legal action to prevent the perceived hijacking of its data, and Facebook and Craigslist, among others, have brought similar actions. But even more than its predecessors, this case, because of who's involved and how it's unfolded, has spoken to the thorniest issues surrounding speech and competition on the internet.

diegocg quotes Kernel Newbies: Linux 4.11 has been released. This release adds support for bigger memory limits in x86 hardware (128PiB of virtual address space, 4PiB of physical address space); support for AMD Secure Memory Encryption; a new unwinder that provides better kernel traces and a smaller kernel size; support for the zstd compression algorithm has been added to Btrfs and Squashfs; support for zero-copy of data from user memory to sockets; support for Heterogeneous Memory Management that will be needed in future GPUs; better cpufreq behaviour in some corner cases; faster TBL flushing by using the PCID instruction; asynchronous non-blocking buffered reads; and many new drivers and other improvements.
Phoronix has more on the changes in Linux 4.14 -- and notes that its codename is still "Fearless Coyote."