Computer scientists from Stanford University have found that programmers who accept help from AI tools like Github Copilot produce less secure code than those who fly solo. From a report: In a paper titled, "Do Users Write More Insecure Code with AI Assistants?", Stanford boffins Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh answer that question in the affirmative. Worse still, they found that AI help tends to delude developers about the quality of their output. "We found that participants with access to an AI assistant often produced more security vulnerabilities than those without access, with particularly significant results for string encryption and SQL injection," the authors state in their paper.

"Surprisingly, we also found that participants provided access to an AI assistant were more likely to believe that they wrote secure code than those without access to the AI assistant." Previously, NYU researchers have shown that AI-based programming suggestions are often insecure in experiments under different conditions. The Stanford authors point to an August 2021 research paper titled "Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions," which found that given 89 scenarios, about 40 per cent of the computer programs made with the help of Copilot had potentially exploitable vulnerabilities.

That study, the Stanford authors say, is limited in scope because it only considers a constrained set of prompts corresponding to 25 vulnerabilities and just three programming languages: Python, C, and Verilog. The Stanford scholars also cite a followup study from some of the same NYU eggheads, "Security Implications of Large Language Model Code Assistants: A User Study," as the only comparable user study they're aware of. They observe, however, that their work differs because it focuses on OpenAI's codex-davinci-002 model rather than OpenAI's less powerful codex-cushman-001 model, both of which play a role in GitHub Copilot, itself a fine-tuned descendant of a GPT-3 language model.

Like a visit from an old friend, it's Donald Knuth's annual Christmas tree lecture for 2022. "Because of the pandemic, it's been three years since Knuth has been able to honor this tradition," notes The New Stack: 2022 marks the 60th anniversary of that fateful day in 1962 when a 24-year-old Donald Knuth started writing " The Art of Computer Programming." Now approaching his 85th birthday, Knuth has become almost a legend in the world of computer programming — and he's still writing additional volumes for his massive analysis of algorithms. But every year, right around Christmas time, there's another tradition. Knuth gives a special lecture "pitched at non-specialists" for a small audience at Stanford University (where Knuth is a professor emeritus) and a larger audience online...

Hunched over a notepad (which was projected onto a screen behind him), Knuth began the 26th annual Christmas lecture by pointing out that the evening's topic had been hiding in plain sight for two decades. For the first 20 years, they'd called them the "Christmas tree" lectures, since "trees are one of the most important things to a computer scientist. And every year I learned at least two new cool things about trees..."

About five years ago they'd changed the name to just "Christmas lectures" — but the problem wasn't that trees stopped being interesting. "I still learn cool things about trees every year. But they're getting harder and harder to explain to a general audience!"

So this year's triumphant "homecoming" lecture would indeed include trees — specifically a phenomenon Knuth describes as "twintrees," along with Baxter permutations, and Floorplans. Knuth noted they're all topics touched on in the latest volume of The Art of Computer Programming, before jokingly reminding the audience that his book makes an excellent Christmas present.
By the end of the lecture, Knuth had written algorithms for all three mathematical concepts — then connected all three algorithms with Linux pipes to show what happens when you convert one kind of sequence into the other and then into the other.

"I get back, of course, the one I started with!"

A Valero gas station sells approximately 5,000 gallons of gas a day, one employee estimates.

But local police arrested six men who, in a series of robberies, tricked the pumps out of 30,000 gallons of gasoline, reports the Mercury News, "a haul authorities estimated was worth at least $180,000." Upon further inspection of surveillance video, authorities said, police saw one of the suspects activate a gas-pump computer, allowing another suspect to pump fuel into his vehicle.... An employee from the Valero station, who declined to give their name, called the process the gas thieves used "nearly untraceable."

"You must have a deep understanding of how the pump system works," the person said. "There is a time frame anywhere from 75 seconds to two minutes for the authorization to go through the network [after sliding a credit card into a gas pump]. In this (time period), there's an opportunity to manipulate the pump ... You're able to manipulate the pump and confuse the programming to an extent that the pump starts dispensing gas...."

In a Facebook post, authorities said the three suspects had been "conspiring together in a sophisticated operation to thwart security devices and pump electronics to steal large amounts of gasoline from the business...."

Authorities say $20,000 of damage was done to gas pumps.
Thanks to Slashdot reader k6mfw for submitting the story.

For three years Stockholm-based games studio Embark has been working on the Rust-gpu project to make Rust "a first class language and ecosystem for GPU programming." The project's latest announcement? rust-gpu now supports ray-tracing.

Their original announcement explained the rationale for this years-long dvelopment effort: Historically in games GPU programming has been done through writing either HLSL, or to a lesser extent GLSL. These are simple programming languages that have evolved along with rendering APIs over the years. However, as game engines have evolved, these languages have failed to provide mechanisms for dealing with large codebases, and have generally stayed behind the curve compared to other programming languages.

In part this is because it's a niche language for a niche market, and in part this has been because the industry as a whole has sunk quite a lot of time and effort into the status quo. While over-all better alternatives to both languages exist, none of them are in a place to replace HLSL or GLSL. Either because they are vendor locked, or because they don't support the traditional graphics pipeline. Examples of this include CUDA and OpenCL. And while attempts have been made to create language in this space, none of them have gained any notable traction in the gamedev community.

Our hope with this project is that we push the industry forward by bringing an existing, low-level, safe, and high performance language to the GPU; namely Rust. And with it come some additional benefits that can't be overlooked: a package/module system that's one of the industry's best, built in safety against race-conditions or out of bounds memory access, a wide range of tools and utilities to improve programmer workflows, and many others!
Along with ray-tracing, this week they announced plans to keep rust-gpu on the same schedule as the stable Rust release, "so you can use your favorite new language features as new stable versions of Rust are being released, by just updating your rust-gpu version."

Thanks to Slashdot reader guest reader for sharing the news!

A Microsoft .NET Community standup has left Windows desktop developers wondering what kind of future, if any, the company has planned for its older desktop application frameworks, Windows Forms and Windows Presentation Foundation (WPF). From a report: A "what's new" slide for WPF presented by senior program manager Olia Gavrysh last week shows "Community Run Project" as the first bullet point, causing consternation among attendees. "Who's happy that WPF is now a community run project? This is soooo scary," remarked Morten Nielsen, a senior principal engineer at ESRI working on the ArcGIS runtime, for location-based analytics.

The slide was perhaps misinterpreted. It was intended as an update on what is happening with pull requests from the community, rather than meaing that WPF has been handed over to the community. Nevertheless, concerns about the future of the framework are well founded. "It's not dead. we have a team working on WPF and supporting it," said Gavrysh, but added, "we now switch to the model where we accept a lot of PRs [pull requests] from the community because we think of WPF as [a] very mature project so not that much rapid development is happening."

Confidential data of about 112,000 taxpayers inadvertently published by the IRS over the summer was mistakenly republished in late November and remained online until early December, the IRS disclosed last week. From a report: Form 990-T data that was supposed to stay private had been taken offline but made its way back to the IRS site when a contractor uploaded an old file that still included most of the private information, a letter sent Thursday to congressional leaders said. The agency is required to make Form 990-Ts filed by nonprofit groups available online but is supposed to keep the form filed by individuals private; in both cases, the agency made that information available too.

An internal programming error caused the September release of private forms along with the ones filed by nonprofit groups, the letter said. This time, the contractor tasked with managing the database reuploaded the older file with the original data instead of a new file that filtered out the forms that needed to be kept private. The IRS shared corrected data with the contractor on Nov. 23, but the old files had not been purged from their system. A third-party researcher alerted the IRS the files were back online on Dec. 1, and the IRS ordered the contractor to take them down immediately. Roughly 104,000 of the 106,000 forms disclosed in September were redisclosed this time. The agency is reconsidering its relationship with the contractor Accenture on this project, the report added, citing a person familiar with the matter.

"Peak TV has peaked," reports the new York Times: The never-ending supply of new programming that helped define the streaming era — spawning shows at a breakneck pace but also overwhelming viewers with too many choices — appears to finally be slowing. The number of adult scripted series ordered by TV networks and streaming companies aimed for U.S. audiences fell by 24 percent in the second half of this year, compared with the same period last year, according to Ampere Analysis, a research firm. Compared with 2019, it is a 40 percent drop. "The second half of the year has really gone off a bit of a cliff," said Fred Black, a research manager at Ampere.

It may take some time for that to become apparent to viewers — if it becomes apparent at all, given the glut. It is usually months and sometimes more than a year for a TV show to premiere after a network orders it.

The drop is a result of broader reckoning inside the entertainment industry. For years, television executives tossed off billions of dollars on TV series to help build out their streaming services and chase subscribers. The spending has been a boon to high-profile writers and producers, who captured eight- and nine-figure deals, as well as for the actors, directors and behind-the-scenes workers who kept the engine going. But Wall Street soured on the buy-at-any-cost strategy starting in the spring, when Netflix, the streaming powerhouse, announced that it had lost subscribers for the first time in a decade. Netflix's stock nose-dived, and other entertainment companies soon watched their share prices fall, too. Hollywood companies quickly shifted, putting a new emphasis on higher profits instead of raw subscriber counts.

Then, in recent months, entertainment companies became increasingly anxious about a slowing economy, the cord-cutting movement and a troublesome advertising market. Since the summer, scores of executives have abruptly been dismissed, strict cost-cutting measures have been adopted and layoffs have taken hold throughout the industry.... Netflix also cut hundreds of jobs and introduced a cheaper advertising tier, overturning the company's longtime pledge to never allow commercials on the service. Warner Bros. Discovery, a company that was formed in April, faces a debt of roughly $50 billion, and has been in severe cost-cutting mode. There have been rounds of layoffs companywide, including at HBO and HBO Max, as well as sudden cancellations. The once-popular series "Westworld" was canceled last month — a move that surprised Hollywood — and the lesser-known, raunchy dating series "FBoy Island" was cut a few weeks ago....

There are a few outliers to this year's trend: Apple TV+ and Amazon have increased the number of adult scripted series they have purchased this year. So has Disney, according to Ampere's research. (For the second half of the year, however, Disney's buying has declined compared with the same period last year.)

Stack Overflow has the announced the results of its annual survey of developers. ZDNet reports: Almost three-quarters (74%) of developers are actively looking for new roles or are open to fresh opportunities, according to research.... The highest percentage of active job seekers is in the 20-24 year-old cohort (27%), with 21% for 25-34 year-olds, 17% for 35-44 year-olds, and only 12% for 45-54 year-olds.

Additionally, the percentage of younger developers actively searching for their next role increased nine points year over year, according to the survey of 2,600 developers by StackOverflow....

Some 54% of respondents to the StackOverflow survey said a better salary is the largest motivator when considering a new opportunity. The biggest factors that stop developers from looking for new jobs are flexibility (58%), salary (54%), and learning opportunities (54%). Developers also want flexibility and the option to work from home, with 46% citing starting/ending the day at a precise time or being expected to work from an office (44%) as the top drawbacks in their current roles.

"Regardless of the economy, it's clear salary is important but it's not everything," says StackOverflow CEO Prashanth Chandrasekar.

TechCrunch reports: Every developer knows that it's a bad idea to hardcode security credentials into source code. Yet it happens and when it does, the consequences can be dire. Until now, GitHub only made its secret scanning service available to paying enterprise users who paid for GitHub Advanced Security, but starting Thursday, the Microsoft-owned company is making its secrets scanning service available for all public GitHub repos for free.

In 2022 alone, the company notified partners in its secret scanning partner program of more than 1.7 million potential secrets that were exposed in public repositories. The service scans repositories for over 200 known token formats and then alerts partners of potential leaks — and you can define your own regex patterns, too.... However, the rollout of the service will be gradual and it will not be available to all users until the end of January 2023.
TechCrunch also notes there's alternatives (including open source GitLeaks).

In June GitHub announced they'd retire their customizable text editor Atom on December 15th — so they could focus their development efforts on the IDEs Microsoft Visual Studio Code and GitHub Codespaces. "As new cloud-based tools have emerged and evolved over the years, Atom community involvement has declined significantly," according to a post on GitHub's blog.

So while "GitHub and our community have benefited tremendously from those who have filed issues, created extensions, fixed bugs, and built new features on Atom," this now means that:

- Atom package management will stop working
- No more security updates
- Teletype will no longer work
- Deprecated redirects that supported downloading Electron symbols and headers will no longer work
- Pre-built Atom binaries can continue to be downloaded from the atom repository releases

Fortunately, in 2014 GitHub open sourced the code for Atom. And according to It's FOSS News: A community build for it is already available; however, there seems to be a new version (Pulsar) that aims to bring feature parity with the original Atom and introduce modern features and updated architecture....

The reason why they made a separate fork is because of different goals for the projects. Pulsar wants to modernize everything to present a successor to Atom. Of course, the user interface is much of the same. Considering Pulsar hasn't had a stable release yet, the branding could sometimes seem all over the place. However, the essentials seem to be there with the documentation, packages, and features like the ability to install packages from Git repositories....

As of now, it is too soon to say if Pulsar will become something better than what the Atom community version offers. However, it is something that we can keep an eye on.... You can head to its official download page to get the package required for your system and test it out.
Like Atom, Pulsar is cross-platform support (supporting Linux, macOS, and Windows).

"John Carmack, the programmer who brought us Doom, Quake and Oculus/Meta virtual reality products, has resigned from his executive consultant post for virtual reality at Meta," reports VentureBeat.

"This is the end of my decade in VR," Carmack wrote in an internal post (which he later reposted on Facebook).

"I have mixed feelings." Quest 2 [Meta's VR headset] is almost exactly what I wanted to see from the beginning — mobile hardware, inside out tracking, optional PC streaming, 4k (ish) screen, cost effective. Despite all the complaints I have about our software, millions of people are still getting value out of it. We have a good product. It is successful, and successful products make the world a better place. It all could have happened a bit faster and been going better if different decisions had been made, but we built something pretty close to The Right Thing.

The issue is our efficiency.... We have a ridiculous amount of people and resources, but we constantly self-sabotage and squander effort....

It has been a struggle for me. I have a voice at the highest levels here, so it feels like I should be able to move things, but I'm evidently not persuasive enough. A good fraction of the things I complain about eventually turn my way after a year or two passes and evidence piles up, but I have never been able to kill stupid things before they cause damage, or set a direction and have a team actually stick to it. I think my influence at the margins has been positive, but it has never been a prime mover.

This was admittedly self-inflicted — I could have moved to Menlo Park after the Oculus acquisition and tried to wage battles with generations of leadership, but I was busy programming, and I assumed I would hate it, be bad at it, and probably lose anyway.

Enough complaining. I wearied of the fight and have my own startup to run, but the fight is still winnable! VR can bring value to most of the people in the world, and no company is better positioned to do it than Meta. Maybe it actually is possible to get there by just plowing ahead with current practices, but there is plenty of room for improvement.

Make better decisions and fill your products with "Give a Damn"!

Google this week released OSV-Scanner -- an open source vulnerability scanner linked to the OSV.dev database that debuted last year. From a report: Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies -- software libraries that get added to projects to provide pre-built functions so developers don't have to recreate those functions on their own. Modern applications can have a lot of dependencies. For example, researchers from Mozilla and Concordia University in Canada recently created a single-page web application with the React framework using the create-react-app command. The result was a project with seven runtime dependencies and nine development dependencies.

But each of these direct dependencies had other dependencies, known as transitive dependencies. The react package includes loose-envify as a transitive dependency -- one that itself depends on other libraries. All told, this basic single-page "Hello world" app required a total of 1,764 dependencies. As Rex Pan, a software engineer on Google's Open Source Security Team, observed on Tuesday in a blog post, vetting thousands of dependences isn't something developers can do on their own.

An anonymous reader quotes a report from KrebsOnSecurity: On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members. The FBI's InfraGard program is supposed to be a vetted Who's Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation's critical infrastructures -- including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms. "InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks," the FBI's InfraGard fact sheet reads.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle "USDoD" and whose avatar is the seal of the U.S. Department of Defense. USDoD said they gained access to the FBI's InfraGard system by applying for a new account using the name, Social Security Number, date of birth and other personal details of a chief executive officer at a company that was highly likely to be granted InfraGard membership. The CEO in question -- currently the head of a major U.S. financial corporation that has a direct impact on the creditworthiness of most Americans -- did not respond to requests for comment. USDoD told KrebsOnSecurity their phony application was submitted in November in the CEO's name, and that the application included a contact email address that they controlled -- but also the CEO's real mobile phone number. "When you register they said that to be approved can take at least three months," USDoD said. "I wasn't expected to be approve[d]." But USDoD said that in early December, their email address in the name of the CEO received a reply saying the application had been approved. While the FBI's InfraGard system requires multi-factor authentication by default, users can choose between receiving a one-time code via SMS or email. "If it was only the phone I will be in [a] bad situation," USDoD said. "Because I used the person['s] phone that I'm impersonating."

USDoD said the InfraGard user data was made easily available via an Application Programming Interface (API) that is built into several key components of the website that help InfraGard members connect and communicate with each other. USDoD said after their InfraGard membership was approved, they asked a friend to code a script in Python to query that API and retrieve all available InfraGard user data. "InfraGard is a social media intelligence hub for high profile persons," USDoD said. "They even got [a] forum to discuss things." USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a tad high, given that it is a fairly basic list of people who are already very security-conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields -- like Social Security Number and Date of Birth -- are completely empty. [...] While the data exposed by the infiltration at InfraGard may be minimal, the user data might not have been the true end game for the intruders. USDoD said they were hoping the imposter account would last long enough for them to finish sending direct messages as the CEO to other executives using the InfraGuard messaging portal.

"Java is no longer among the top three most popular programming languages in the TIOBE Index," reports the Register, "one of several not particularly definitive yardsticks by which such things are measured." According to Paul Jansen, CEO of Netherlands-based TIOBE Software, the rising popularity of C++ has pushed Java down a notch. The index's rankings are now:

- Python in first place
- C second
- C++ third, and
- Java fourth.

C++ stepped up to third, and Java fell to fourth. "C++ surpassed Java for the first time in the history of the TIOBE Index, which means that Java is at position 4 now," said Jansen in the December update for the TIOBE Index. "This is the first time that Java is not part of the top 3 since the beginning of the TIOBE Index in 2001."

The surge in C++, perhaps in part helped by the stable release of C++ 20 in December 2020, is particularly ironic in light of the language's recent dismissal by Microsoft CTO Mark Russinovich, which coincides with industry evangelism for Rust and its capacity for memory safety.
The article points out that other rankings still show a slighty higher popularity for Java. And ZDNet notes the other languages rising quickly in popularity over the last 12 months: In a year-on-year comparison in Tiobe's index, the languages now in the top 20 that made significant gains over the period are: Rust (up from 27 to 20), Objective-C (up from 29 to 19), science-specialized MATLAB (20 to 14), and Google's Go language (up from 19 to 12).

"Linus has released the 6.1 kernel," reports LWN.net — and it's the one with initial support for kernel development in Rust.

Elsewhere LWN explains the specifics of this milestone: No system with a production 6.1 kernel will be running any Rust code, but this change does give kernel developers a chance to play with the language in the kernel context and get a sense for how Rust development feels....

There are other initiatives underway, including the writing of an Apple graphics driver in the Rust language. For the initial merge into the mainline kernel, though, Linus Torvalds made it clear that as little functionality as possible should be included. So those drivers and their support code were trimmed out and must wait for a future kernel release. What is there is the support needed to build a module that can be loaded into the kernel, along with a small sample module.... Torvalds asked for something that could do "hello world" and that is what we got. It is something that can be played with, but it cannot be used for any sort of real kernel programming at this point.

That situation will, hopefully, change in the near future.
Meanwhile, Linux 6.1 also includes "support for destructive BPF programs, some significant io_uring performance improvements, better user-space control over transparent huge-page creation, improved memory-tiering support."

The Register adds: Other interesting additions include more support for the made-in-China LoongArch CPU architecture, introductory work to support Wi-Fi 7 and security fixes for some flaky Wi-Fi routines in previous versions of the kernel. There's also plenty of effort to improve the performance of Linux on laptops, and enhanced power efficiency for AMD's PC-centric RYZEN silicon.

The story of PostScript "is a story about profound changes in human literacy," argues Silicon Valley's Computer History Museum, "as well as a story of trade secrets within source code."

And 40 years after it's creation... The Computer History Museum is excited to publicly release, for the first time, the source code for the breakthrough printing technology, PostScript. We thank Adobe, Inc. for their permission and support, and John Warnock [Adobe's 82-year-old co-founder] for championing this release....

From the start of Adobe Systems Incorporated (now Adobe, Inc.) exactly forty years ago in December 1982, the firm's cofounders envisioned a new kind of printing press — one that was fundamentally digital, using the latest advances in computing. Initial discussions by cofounders Chuck Geschke and John Warnock with computer-makers such as Digital Equipment Corporation and Apple convinced them that software was the key to the new digital printing press. Their vision: Any computer could connect with printers and typesetters via a common language to print words and images at the highest fidelity. Led by Warnock, Adobe assembled a team of skillful and creative programmers to create this new language. In addition to the two cofounders, the team included Doug Brotz, Bill Paxton, and Ed Taft. The language they created was in fact a complete programming language, named PostScript, and was released by Adobe in 1984.

By treating everything to be printed the same, in a common mathematical description, PostScript granted abilities offered nowhere else. Text and images could be scaled, rotated, and moved at will, as in the opening image to this essay. Adobe licensed PostScript to computer-makers and printer manufacturers, and the business jumped into a period of hypergrowth....

Today, most printers rely on PostScript technology either directly or through a technology that grew out of it: PDF (Portable Document Format). John Warnock championed the development of PDF in the 1990s, transforming PostScript into a technology that was safer and easier to use as the basis for digital documents, but retaining all the benefits of interoperability, fidelity, and quality. Over the decades, Adobe had developed PDF tremendously, enhancing its features, and making it a crucial standard for digital documents, printing, and for displaying graphics of all kinds on the screens from laptops to smartphones and smartwatches.
Thanks to guest reader for submitting the story.

"When the third major release of the Dart programming language debuts in mid-2023, null values will no longer be allowed where they're not expected," reports the Register: Null in this context is an assignment value indicating the absence of a value or referenced object.... Dart, an object-oriented, garbage-collected C-like language that once aspired to replace JavaScript, supported sound null safety — a way to prevent errors from accessing variables set to null — as of version 2.12. But it maintained modes for running code without null safety or with partial null safety. Dart 3 will no longer entertain those suboptimal possibilities.

"Our next release, Dart 3, completes the journey to a fully sound null safe language," explained Michael Thomsen, product manager on Dart and Flutter, in a blog post. "As the last step of that journey, we're removing several historical Dart language and SDK artifacts, including removing support for running without sound null safety." Sound null safety, Thomsen explains, means that a non-nullable variable never contains a null value. Not every implementation of null safety is so certain: TypeScript, for example, is unsound — you can assign a null value to a non-null variable. C# has exceptions to its null checks. And Kotlin also has exceptions.

Dart's transition will help catch type-related bugs at compile time, and should improve code readability, maintainability, and ahead-of-time (AOT) compilation. There's a cost however. Sound null safety will be the only option so pubspec files — Dart package metadata — with an SDK constraint set for less than 2.12 will no longer resolve in Dart 3. According to Thomsen, about 85 percent of Flutter code (which is written in Dart) supports sound null safety at this point. Those with apps and packages in the remaining 15 percent are urged to adapt their code prior to Dart 3's arrival....

Following the release of Dart 3, the next significant milestone for the language is likely to be support for compiling Dart code into WebAssembly (Wasm), which will allow Flutter Web apps to run as native code in browsers.

DeepMind's new artificial intelligence system called AlphaCode was able to "achieve approximately human-level performance" in a programming competition. The findings have been published in the journal Science. Slashdot reader sciencehabit shares a report from Science Magazine: AlphaCode's creators focused on solving those difficult problems. Like the Codex researchers, they started by feeding a large language model many gigabytes of code from GitHub, just to familiarize it with coding syntax and conventions. Then, they trained it to translate problem descriptions into code, using thousands of problems collected from programming competitions. For example, a problem might ask for a program to determine the number of binary strings (sequences of zeroes and ones) of length n that don't have any consecutive zeroes. When presented with a fresh problem, AlphaCode generates candidate code solutions (in Python or C++) and filters out the bad ones. But whereas researchers had previously used models like Codex to generate tens or hundreds of candidates, DeepMind had AlphaCode generate up to more than 1 million.

To filter them, AlphaCode first keeps only the 1% of programs that pass test cases that accompany problems. To further narrow the field, it clusters the keepers based on the similarity of their outputs to made-up inputs. Then, it submits programs from each cluster, one by one, starting with the largest cluster, until it alights on a successful one or reaches 10 submissions (about the maximum that humans submit in the competitions). Submitting from different clusters allows it to test a wide range of programming tactics. That's the most innovative step in AlphaCode's process, says Kevin Ellis, a computer scientist at Cornell University who works AI coding.

After training, AlphaCode solved about 34% of assigned problems, DeepMind reports this week in Science. (On similar benchmarks, Codex achieved single-digit-percentage success.) To further test its prowess, DeepMind entered AlphaCode into online coding competitions. In contests with at least 5000 participants, the system outperformed 45.7% of programmers. The researchers also compared its programs with those in its training database and found it did not duplicate large sections of code or logic. It generated something new -- a creativity that surprised Ellis. The study notes the long-term risk of software that recursively improves itself. Some experts say such self-improvement could lead to a superintelligent AI that takes over the world. Although that scenario may seem remote, researchers still want the field of AI coding to institute guardrails, built-in checks and balances.

"The Perl Advent Calendar has come a long way since it's first year in 2000," says an announcement on Reddit. But in fact the online world now has many daily advent calendars aimed at programmers — offering tips about their favorite language or coding challenges.

• The HTMHell site — which bills itself as "a collection of bad practices in HTML, copied from real websites" — decided to try publishing 24 original articles for their 2022 HTMHell Advent Calendar. Elsewhere on the way there's the Web Performance Calendar, promising daily articles for speed geeks. And the 24 Days in December blog comes to life every year with new blog posts for PHP users.

• The JVM Advent Calendar brings a new article daily about a JVM-related topic. And there's also a C# Advent calendar promising two new blog posts about C# every day up to (and including) December 25th.

• The Perl Advent Calendar offers fun stories about Perl tools averting December catastrophes up at the North Pole. (Day One's story — "Silent Mite" — described Santa's troubles building software for a ninja robot alien toy, since its embedded hardware support contract prohibited unwarrantied third-party code, requiring a full code rewrite using Perl's standard library.) Other stories so far this December include "Santa is on GitHub" and "northpole.cgi"

• The code quality/security software company SonarSource has a new 2022 edition of their Code Security Advent Calendar — their seventh consecutive year — promising "daily challenges until December 24th. Get ready to fill your bag of security tricks!" (According to a blog post the challenges are being announced on Twitter and on Mastadon.

• Just as the Perl community spawned another language named Perl 6 — now called Raku — there's also a Raku-themed advent calendar. (It's now at a new URL, though it's been running since 2009.) Day Three's post tells the story of Santa and the Rakupod Wranglers.

• "24 Pull Requests" dares participants to make 24 pull requests before December 24th. (The site's tagline is "giving back to open source for the holidays.") Over the years tens of thousands of developers (and organizations) have participated — and this year they're also encouraging organizers to hold hack events.

• The Advent of JavaScript and Advent of CSS sites promise 24 puzzles delivered by email (though you'll have to pay if you also want them to email you the solutions!)

• TryHackMe.com has its own set of darily cybersecurity puzzles (and even a few prizes).

• For 2022 Oslo-based Bekk Consulting (a "strategic internet consulting company") is offering an advent calendar of their own. A blog post says its their sixth annual edition, and promises "new original articles, podcasts, tutorials, listicles and videos every day up until Christmas Eve... all written and produced by us - developers, designers, project managers, agile coaches, management consultants, specialists and generalists."

Whether you participate or not, the creation of programming-themed advent calendar sites is a long-standing tradition among geeks, dating back more than two decades. (Last year Smashing magazine tried to compile an exhaustive list of the various sites serving all the different developer communities.)

But no list would be complete without mentioning Advent of Code. This year's programming puzzles involve everything from feeding Santa's reindeer and loading Santa's sleigh. The site's About page describes it as "an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like."

Now in its eighth year, the site's daily two-part programmig puzzles have a massive online following. This year's Day One puzzle was solved by 178,628 participants...

Long-time Slashdot reader destinyland writes: Since 1999 fiction writers have tried starting and finishing the composition of 50,000-word novels in November for "National Novel Writing Month". But for the last nine years, programmers have instead tried generating 50,000 word novels — and this year's edition received more than 50 entries.

"The only rule is that you share at least one novel and also your source code at the end," explains the event's official page on GitHub.
From the repository's README file: The "novel" is defined however you want. It could be 50,000 repetitions of the word "meow" (and yes it's been done!). It could literally grab a random novel from Project Gutenberg. It doesn't matter, as long as it's 50k+ words.

Please try to respect copyright. We're not going to police it, as ultimately it's on your head if you want to just copy/paste a Stephen King novel or whatever, but the most useful/interesting implementations are going to be ones that don't engender lawsuits.
This year's computer-generated novels include " sunday in the sunday in the," mapping the colors from each dot in the Pointillist painting Sunday Afternoon on the Island of La Grande Jatte onto words from the lyrics of a musical about that painting. ("Rush blind. Link adds shallot again....")