GitHub Introduces AI-Powered Tool That Suggests Ways It Can Auto-Fix Your Code

“It’s a bad day for bugs,” joked TechCrunch on Wednesday. “Earlier today, Sentry announced its AI Autofix feature for debugging production code…”

And then the same day, BleepingComputer reported that GitHub “introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding.”

This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Typescript, Java, and Python… After being toggled on, it provides potential fixes that GitHub claims will likely address more than two-thirds of found vulnerabilities while coding with little or no editing.

“When a vulnerability is discovered in a supported language, fix suggestions will include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss,” GitHub’s Pierre Tempel and Eric Tooley said…
Last month, the company also enabled push protection by default for all public repositories to stop the accidental exposure of secrets like access tokens and API keys when pushing new code. This was a significant issue in 2023, as GitHub users accidentally exposed 12.8 million authentication and sensitive secrets via more than 3 million public repositories throughout the year.

GitHub will continue adding support for more languages, with C# and Go coming next, according to their announcement.

“Our vision for application security is an environment where found means fixed.”

Read more of this story at Slashdot.

Has ‘Silicon Valley-style Startup Disruption’ Arrived for Book Publishing?

The Baffler says a new publishing house launched earlier this month “brings Silicon Valley-style startup disruption to the business of books.”

Authors Equity has “a tiny core staff, offloading its labor to a network of freelancers,” and like a handful of other publishers “is upending the way that authors get paid, eschewing advances and offering a higher percentage of profits instead.”

It is worth watching because its team includes several of the most important publishing people of the twenty-first century. And if it works, it will offer a model for tightening the connection between book culture and capitalism, a leap forward for the forces of efficiency and the fantasies of frictionless markets, ushering in a world where literature succeeds if and only if it sells….

Authors Equity’s website presents its vision in strikingly neoliberal corporatespeak. The company has four Core Principles: Aligned Incentives; Bespoke Teams; Flexibility and Transparency; and Long-Term Collaboration. What do they mean by these MBA keywords? Aligned Incentives is explained in the language of human capital: “Our profit-share model rewards authors who want to bet on themselves.” Authors, that is, take on more of the financial risk of publication. At a traditional publishing house, advances provide authors with guaranteed cash early in the process that they can use to live off while writing. With Authors Equity, nothing is guaranteed and nothing given ahead of time; an author’s pay depends on their book’s profits.

In an added twist, “Profit participation is also an option for key members of the book team, so we’re in a position to win together.” Typically, only an author’s agent’s income is directly tied to an author’s financial success, but at Authors Equity, others could have a stake. This has huge consequences for the logic of literary production. If an editor, for example, receives a salary and not a cut of their books’ profits, their incentives are less immediately about profit, offering more wiggle room for aesthetic value. The more the people working on books participate in their profits, the more, structurally, profit-seeking will shape what books look like.

“Bespoke Teams” is a euphemism for gigification. With a tiny initial staff of six, Authors Equity uses freelance workers to make books, unlike traditional publishers, which have many employees in many departments… Their fourth Core Principle — Long-Term Collaboration — addresses widespread frustration with a systemic problem in traditional publishing: the fetishization of debut authors who receive decent or better advances, fail to earn out, and then struggle to have a career. It’s a real problem and one where authors’ interests and capitalist rationalization are, as it were, aligned. Authors Equity sees that everyone might profit when an author can build a readership and develop their skill.
The article concludes with this prediction. “It’s not impossible that we’ll look back in twenty years and see its founding as auguring the beginning of the startup age in publishing.”

Food for thought… Pulp-fiction mystery writer Mickey Spillane once said, “I’m a writer, not an author. The difference is, a writer makes money.”

Read more of this story at Slashdot.

Air Industry Trends Safer, But ‘Flukish’ Second Crash Led Boeing to Mishandled Media Storm, WSJ Argues

There’s actually “a global trend toward increased air safety,” notes a Wall Street Journal columnist.

And even in the case of the two fatal Boeing crashes five years ago, he stresses that they were “were two different crashes,” with the second happening only “after Boeing and the FAA issued emergency directives instructing pilots how to compensate for Boeing’s poorly designed flight control software.

“The story should have ended after the first crash except the second set of pilots behaved in unexpected, unpredictable ways, flying a flyable Ethiopian Airlines jet into the ground.”

Boeing is guilty of designing a fallible system and placing an undue burden on pilots. The evidence strongly suggests, however, that the Ethiopian crew was never required to master the simple remedy despite the global furor occasioned by the first crash. To boot, they committed an additional error by overspeeding the aircraft in defiance of aural, visual and stick-shaker warnings against doing so. It got almost no coverage, but on the same day the Ethiopian government issued its final findings on the accident in late 2022, the U.S. National Transportation Safety Board, in what it called an “unusual step,” issued its own “comment” rebuking the Ethiopian report for “inaccurate” statements, for ignoring the crew’s role, for ignoring how readily the accident should have been avoided.

So the Wall Street Journal columnist challenges whether profit incentives played any role in Boeing’s troubles:

In reality, the global industry was reorganized largely along competitive profit-and-loss lines after the 1970s, and yet this coincided with enormous increases in safety, notwithstanding the sausage factory elements occasionally on display (witness the little-reported parking of hundreds of Airbus planes over a faulty new engine).

The point here isn’t blame but to note that 100,000 repetitions likely wouldn’t reproduce the flukish second MAX crash and everything that followed from it. Rather than surfacing Boeing’s deeply hidden problems, it seems the second crash gave birth to them. The subsequent 20-month grounding and production shutdown, combined with Covid, cost Boeing thousands of skilled workers. The pressure of its duopoly competition with Airbus plus customers clamoring for their backordered planes made management unwisely desperate to restart production. January’s nonfatal door-plug blowout of an Alaska Airlines 737 appears to have been a one-off when Boeing workers failed to reinstall the plug properly after removing it to fix faulty fuselage rivets. Not a one-off, apparently, are faulty rivets as Boeing has strained to hire new staff and resume production of half-finished planes.

Boeing will sort out its troubles eventually by applying the oldest of manufacturing insights: Training, repetition, standardization and careful documentation are the way to error-free complex manufacturing.
As he sees it, “The second MAX crash caught Boeing up in a disorienting global media and political storm that it didn’t know how to handle and, indeed, has handled fairly badly.”

Read more of this story at Slashdot.

New Book Remembers LAN Parties and the 1990s ‘Multiplayer Revolution’

CNN looks back to when “dial-up internet (and its iconic dial tone) was ‘still a thing…”

“File-sharing services like Napster and LimeWire were just beginning to take off… And in sweaty dorm rooms and sparse basements across the world, people brought their desktop monitors together to set up a local area network (LAN) and play multiplayer games — “Half-Life,” “Counter-Strike,” “Starsiege: Tribes,” “StarCraft,” “WarCraft” or “Unreal Tournament,” to name just a few. These were informal but high-stakes gatherings, then known as LAN parties, whether winning a box of energy drinks or just the joy of emerging victorious. The parties could last several days and nights, with gamers crowded together among heavy computers and fast food boxes, crashing underneath their desks in sleeping bags and taking breaks to pull pranks on each other or watch movies…

It’s this nostalgia that prompted writer and podcaster Merritt K to document the era’s gaming culture in her new photobook “LAN Party: Inside the Multiplayer Revolution.” After floating the idea on X, the social media platform formerly known as Twitter, she received an immediate — and visceral — response from old-school gamers all too keen to share memories and photos from LAN parties and gaming conventions across the world… It’s strange to remember that the internet was once a place you went to spend time with other real people; a tethered space, not a cling-film-like reality enveloping the corporeal world from your own pocket….

Growing up as a teenager in this era, you could feel a sense of hope (that perhaps now feels like naivete) about the possibilities of technology, K explained. The book is full of photos featuring people smiling and posing with their desktop monitors, pride and fanfare apparent… “It felt like, ‘Wow, the future is coming,'” K said. “It was this exciting time where you felt like you were just charting your own way. I don’t want to romanticize it too much, because obviously it wasn’t perfect, but it was a very, very different experience….”

“We’ve kind of lost a lot of control, I think over our relationship to technology,” K said. “We have lost a lot of privacy as well. There’s less of a sense of exploration because there just isn’t as much out there.”

One photo shows a stack of Mountain Dew cans (remembering that by 2007 the company had even released a line of soda called “Game Fuel”). “It was a little more communal,” the book’s author told CNN. “If you’re playing games in the same room with someone, it’s a different experience than doing it online. You can only be so much of a jackass to somebody who was sitting three feet away from you…”

They adds that that feeling of connecting to people in other places “was cool. It wasn’t something that was taken for granted yet.”

Read more of this story at Slashdot.

”Tetris Reversed’? Alexey Pajitnov Shows Footage From Rediscovered Prototype for ‘Tetris’ Sequel

Tetris creator Alexey Pajitnov and others spoke at the Game Developers Conference about Tetris Reversed, reports VentureBeat — and told the story of “a lost prototype of a Tetris game that was never published.”

But little did Pajitnov know that an engineer in charge of the game, Vedran Klanac, had kept a copy of it. Through the help of intermediaries, he showed it to Pajitnov and the two shared their memories of what happened to the lost game…

Pajitnov has lived in the U.S. since 1991, where he has been involved in the development of games such as Pandora’s Box and worked with companies such as Microsoft and WildSnake Software… Klanac is the CEO of Ocean Media, and he is originally from Zagreb, Croatia. He was an aerospace engineer who started his career in the games industry with Croteam where he built the physics engine for Serious Sam 2.
Since 2006, he has been running Ocean Media, a game publishing company with a focus on consoles. During the last 20 years, he was involved in production as a programmer and executive producer in more than 200 projects. And it turns out he was the programmer who created the Tetris Reversed code based on instructions from Pajitnov, who had passed them on through a middleman. In 2011, programmer Vedran Klanac went to the NLGD Festival of Games in Utrecht, The Netherlands. He listened to a talk on a charitable effort from Martin de Ronde, a cofounder of game studio Guerrilla Games. Klanac said in an interview with GamesBeat that he listened to De Ronde’s talk and offered to help. De Ronde came back months later saying he had an agreement with Pajitnov about creating a new prototype for a Tetris game.

De Ronde asked if Klanac if he wanted to make Tetris Reversed by Pajitnov.

“Are you kidding me?” Klanac reacted.

The idea is still to survive as long as you can, according to the article — but the entire playfield was accessible. “For the first time in public, they showed the video of the prototype in action,” according to the article, which also records Pajitnov reaction. “When you see the gameplay video, and when you look at the design elements. This is Tetris for like 300 IQ people.”

No word on yet on whether the game will ever be officially published.

Read more of this story at Slashdot.

Database For UK Nurse Registration ‘Completely Unacceptable’

Lindsay Clark reports via The Register: The UK Information Commissioner’s Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on “a journey of improvement.” But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases — holding information about 800,000 registered professionals — are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently — for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The whistleblower’s complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU’s General Data Protection Regulation (GDPR)]. The statement alleges that the NMC’s “data management and data retrieval practices were completely unacceptable.” “There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization,” the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals’ names, start with a letter or other invalid data, or are simply null. The whistleblower’s complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce “accurate, correct, business critical reports … because frankly no one knows where the correct data is to be found.” A spokesperson for the NMC said the register was “organized and documented” in the SQL Server database. “For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared.”

Read more of this story at Slashdot.

New ‘GoFetch’ Apple CPU Attack Exposes Crypto Keys

“There is a new side channel attack against Apple ‘M’ series CPUs that does not appear to be fixable without a major performance hit,” writes Slashdot reader EncryptedSoldier. SecurityWeek reports: A team of researchers representing several universities in the United States has disclosed the details of a new side-channel attack method that can be used to extract secret encryption keys from systems powered by Apple CPUs. The attack method, dubbed GoFetch, has been described as a microarchitectural side-channel attack that allows the extraction of secret keys from constant-time cryptographic implementations. These types of attacks require local access to the targeted system. The attack targets a hardware optimization named data memory-dependent prefetcher (DMP), which attempts to prefetch addresses found in the contents of program memory to improve performance.

The researchers have found a way to use specially crafted cryptographic operation inputs that allow them to infer secret keys, guessing them bits at a time by monitoring the behavior of the DMP. They managed to demonstrate end-to-end key extraction attacks against several crypto implementations, including OpenSSL Diffie-Hellman Key Exchange, Go RSA, and the post-quantum CRYSTALS-Kyber and CRYSTALS-Dilithium. The researchers have conducted successful GoFetch attacks against systems powered by Apple M1 processors, and they have found evidence that the attack could also work against M2 and M3 processors. They have also tested an Intel processor that uses DMP, but found that it’s ‘more robust’ against such attacks.

The experts said Apple is investigating the issue, but fully addressing it does not seem trivial. The researchers have proposed several countermeasures, but they involve hardware changes that are not easy to implement or mitigations that can have a significant impact on performance. Apple told SecurityWeek that it thanks the researchers for their collaboration as this work advances the company’s understanding of these types of threats. The tech giant also shared a link to a developer page that outlines one of the mitigations mentioned by the researchers. The researchers have published a paper (PDF) detailing their work.

Ars Technica’s Dan Goodin also reported on the vulnerability.

Read more of this story at Slashdot.

Users Shocked To Find Instagram Limits Political Content By Default

Instagram has been limiting recommended political content by default without notifying users. Ars Technica reports: Instead, Instagram rolled out the change in February, announcing in a blog that the platform doesn’t “want to proactively recommend political content from accounts you don’t follow.” That post confirmed that Meta “won’t proactively recommend content about politics on recommendation surfaces across Instagram and Threads,” so that those platforms can remain “a great experience for everyone.” “This change does not impact posts from accounts people choose to follow; it impacts what the system recommends, and people can control if they want more,” Meta’s spokesperson Dani Lever told Ars. “We have been working for years to show people less political content based on what they told us they want, and what posts they told us are political.”

To change the setting, users can navigate to Instagram’s menu for “settings and activity” in their profiles, where they can update their “content preferences.” On this menu, “political content” is the last item under a list of “suggested content” controls that allow users to set preferences for what content is recommended in their feeds. There are currently two options for controlling what political content users see. Choosing “don’t limit” means “you might see more political or social topics in your suggested content,” the app says. By default, all users are set to “limit,” which means “you might see less political or social topics.” “This affects suggestions in Explore, Reels, Feed, Recommendations, and Suggested Users,” Instagram’s settings menu explains. “It does not affect content from accounts you follow. This setting also applies to Threads.” “Did [y’all] know Instagram was actively limiting the reach of political content like this?!” an X user named Olayemi Olurin wrote in an X post. “I had no idea ’til I saw this comment and I checked my settings and sho nuff political content was limited.”

“This is actually kinda wild that Instagram defaults everyone to this,” another user wrote. “Obviously political content is toxic but during an election season it’s a little weird to just hide it from everyone?”

Read more of this story at Slashdot.