Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn't going away any time soon.
This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language. Earlier this month, a contributor with the username Lolip0p uploaded three packages to PyPI titled: colorslib, httpslib, and libhttps. The contributor was careful to disguise all three as legitimate packages, in this case, as libraries for creating a terminal user interface and thread-safe connection pooling. All three packages were advertised as providing full-featured usability.
[...] Open source repositories such as PyPI and NPM have become increasingly used as vectors for installing malware through supply chain attacks, which spread malicious software at the source of a legitimate project. From 2018 to 2021, this type of attack grew on NPM almost fourfold and about fivefold on PyPI, according to security firm ReversingLabs. From January to October last year, 1,493 malicious packages were uploaded to PyPI, and 6,977 malicious packages were uploaded to NPM.
[...] "Python end users should always perform due diligence before downloading and running any packages, especially from new authors," ReversingLabs researchers wrote in the post documenting the latest attacks. "And as can be seen, publishing more than one package in a short time period is no indication that an author is reliable."
The same advice should be applied to NPM, RubyGems, and virtually every other open source repository.
The night sky has been brightening faster than researchers realized, thanks to the use of artificial lights at night. A study of more than 50,000 observations of stars by citizen scientists reveals that the night sky grew about 10 percent brighter, on average, every year from 2011 to 2022.
In other words, a baby born in a region where roughly 250 stars were visible every night would see only 100 stars on their 18th birthday, researchers report in the Jan. 20 Science.
[...] "In a way, this is a call to action," says astronomer Connie Walker of the National Optical-Infrared Astronomy Research Laboratory in Tucson. "People should consider that this does have an impact on our lives. It's not just astronomy. It impacts our health. It impacts other animals who cannot speak for themselves."
Walker works with the Globe at Night campaign, which began in the mid-2000s as an outreach project to connect students in Arizona and Chile and now has thousands of participants worldwide. Contributors compare the stars they can see with maps of what stars would be visible at different levels of light pollution, and enter the results on an app.
"I'd been quite skeptical of Globe at Night" as a tool for precision research, admits physicist Christopher Kyba of the GFZ German Research Centre for Geosciences in Potsdam. But the power is in the sheer numbers: Kyba and colleagues analyzed 51,351 individual data points collected from 2011 to 2022.
"The individual data are not precise, but there's a whole lot of them," he says. "This Globe at Night project is not just a game; it's really useful data. And the more people participate, the more powerful it gets."
[...] The good news is that no major technological breakthroughs are needed to help fix the problem. Scientists and policy makers just need to convince people to change how they use light at night — easier said than done.
"People sometimes say light pollution is the easiest pollution to solve, because you just have to turn a switch and it goes away," Kyba says. "That's true. But it's ignoring the social problem — that this overall problem of light pollution is made by billions of individual decisions."
Some simple solutions include dimming or turning off lights overnight, especially floodlighting or lights in empty parking lots.
Kyba shared a story about a church in Slovenia that switched from four 400-watt floodlights to a single 58-watt LED, shining behind a cutout of the church to focus the light on its facade. The result was a 96 percent reduction in energy use and much less wasted light , Kyba reported in the International Journal of Sustainable Lighting in 2018. The church was still lit up, but the grass, trees and sky around it remained dark.
"If it was possible to replicate that story over and over again throughout our society, it would suggest you could really drastically reduce the light in the sky, still have a lit environment and have better vision and consume a lot less energy," he says. "This is kind of the dream."
Fabio Falchi and Salvador Bará, Light pollution is skyrocketing, Science, 379, 6629, 2023. (DOI: 10.1126/science.adf4952)
If you visit the Field Museum in Chicago for its First Kings of Europe exhibit that opens March 31, keep an eye out for a ragged, unassuming sword. It has a special backstory. The Field Museum had thought it was a convincing replica of a Bronze Age sword. Turns out, it's the real thing.
The sword is around 3,000 years old. The museum acquired the artifact almost a century ago. It was first discovered in the 1930s in the Danube River in Budapest, Hungary. It may have ended up there as part of a ritual for the dead.
Field Museum scientists with specialities in chemistry and archaeology examined the sword with an X-ray fluorescence detector, a device that can determine what an object is composed of. "When they compared the sword's chemical makeup to other known Bronze Age swords in Europe, their content of bronze, copper and tin were nearly identical," the Field Museum said in a statement this week.
Tracing the sword to its rightful place in history was unexpected. "Usually this story goes the other way round. What we think is an original turns out to be a fake," said Bill Parkinson, curator of anthropology.
T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.
In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a "bad actor" abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.
APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.
T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver's license or other government ID numbers were exposed.
In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver's license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.
Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.
In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.
Wikipedia has released their new layout, which unsurprisingly includes whitespace bars on either side, justified by the claim "most people prefer a column 60-80 characters wide" (although it's not that extreme).
The changes being introduced are not very dramatic — in fact, they may not even be immediately noticed by some users. The organization, however, says the update was necessary in order to meet the needs of the next generation of internet users, including those who are more newly coming online and may have less familiarity with the internet.
To develop the new interface, the foundation engaged with more than 30 different volunteer groups from around the world, with users in places like India, Indonesia, Ghana and Argentina, among others, all helping to test the update and provide insights into the product development. The goal for the update was to make Wikipedia more of a modern web platform, it said, and to remove clutter, while also making it easier for users to contribute. It additionally aimed to make the desktop web version more consistent with Wikipedia's mobile counterpart.
It is possible to go back to the old layout, if you log in to the site and set it in your preferences.
Poor cryptocurrency valuations and continued fallout from FTX's downfall left Genesis unable to pay its creditors.
Genesis, one of the largest crypto lending firms in the space finally filed for Chapter 11 bankruptcy on Friday. Though Genesis managed to cling on to life for months longer than some of its largest competitors, recent market shake-ups and festering fallout from FTX's collapse flung it over the edge. Now, the firm will join Celsius, Voyager Digital, and BlockFi in a graveyard of former crypto giants.
Genesis was among the crypto firms offering sky high returns on cryptocurrency investments. The company lent funds to some of the shadiest names in the space, including failed crypto hedge fund Three Arrows Capital and FTX affiliate Alameda Research. In the latter example, Genesis reportedly gave out hundreds of million worth of unsecured loans to Alameda. Genesis' parent company, DCG, now reportedly owes creditors around $3 billion, according to CNBC. The bankruptcy filing comes just a week after the Securities and Exchange Commission charged Genesis with allegedly selling unregistered securities.
[...] While Genesis, like just about every other company in the crypto space, struggled to adapt to worsening cryptocurrency valuations and diminished consumer trust, the public response to FTX's implosion likely accelerated the company' downfall. FTX's death spiral sparked a new wave of crypto customers sprinting to withdraw their funds. Genesis reportedly sought out a $1 billion bailout during this time to stop the bleeding but nobody answered the company's call.
In Appalachia's coal country, researchers envision turning toxic waste into treasure. The pollution left behind by abandoned mines is an untapped source of rare earth elements.
Rare earths are a valuable set of 17 elements needed to make everything from smartphones and electric vehicles to fluorescent bulbs and lasers. With global demand skyrocketing and China having a near-monopoly on rare earth production — the United States has only one active mine — there's a lot of interest in finding alternative sources, such as ramping up recycling.
Pulling rare earths from coal waste offers a two-for-one deal: By retrieving the metals, you also help clean up the pollution.
Long after a coal mine closes, it can leave a dirty legacy. When some of the rock left over from mining is exposed to air and water, sulfuric acid forms and pulls heavy metals from the rock. This acidic soup can pollute waterways and harm wildlife.
Recovering rare earths from what's called acid mine drainage won't single-handedly satisfy rising demand for the metals, acknowledges Paul Ziemkiewicz, director of the West Virginia Water Research Institute in Morgantown. But he points to several benefits.
Unlike ore dug from typical rare earth mines, the drainage is rich with the most-needed rare earth elements. Plus, extraction from acid mine drainage also doesn't generate the radioactive waste that's typically a by-product of rare earth mines, which often contain uranium and thorium alongside the rare earths. And from a practical standpoint, existing facilities to treat acid mine drainage could be used to collect the rare earths for processing. "Theoretically, you could start producing tomorrow," Ziemkiewicz says.
From a few hundred sites already treating acid mine drainage, nearly 600 metric tons of rare earth elements and cobalt — another in-demand metal — could be produced annually, Ziemkiewicz and colleagues estimate.
Dungeons & Dragons released a statement today saying that the future of its open gaming license will include its core rules being placed under the purview of the Creative Commons. The Creative Commons is "a nonprofit dedicated to sharing knowledge, and it developed a set of licenses to let creators do that," says the newest update from Kyle Brink, the executive producer at Dungeons & Dragons.
This decision is a direct response to a lot of the fears the community had after io9 reported on the initial OGL 1.1 draft on January 5. The CC license will cede Wizards of the Coast's control over the base rules and mechanics of D&D to the nonprofit that stewards the license, which means that Dungeons & Dragons and WOTC will be unable to touch it and will not be able to revoke it. Likewise, content that goes beyond the remit of using core rules will fall under a new OGL, dubbed 1.2, which will contain specific language denoting the license as "irrevocable"—a massive pressure point for creators who used the original OGL 1.0 and were worried about the implications of the 30-day termination clause in the OGL 1.1.
[...] Wizards of the Coast seems committed to having a firm stance on bigoted and hateful content—something that people praised in the leaked draft. "If you include harmful, discriminatory, or illegal content (or engage in that conduct publicly), we can terminate your OGL 1.2 license to our content," reads the statement. [...]
Additionally, Brink states that "what [Dungeons & Dragons] is going for here is giving good-faith creators the same level of freedom (or greater, for the ruleset in Creative Commons) to create TTRPG content that's been so great for everyone, while giving us the tools to ensure the game continues to become ever more inclusive and welcoming." [...]
WTF?! Governments looking for classified documents on other nations' military vehicles might no longer require spies to get the job done; they can just check out the War Thunder forum. Once again, someone used the popular game's message board to post restricted military Intel—twice.
The first incident occurred earlier this week during a discussion about the F-16 Fighting Falcon, a single-engine multirole fighter aircraft originally developed by General Dynamics for the United States Air Force. It was introduced in 1978 but is still used in active duty today.
Aerotime reports that during the lengthy conversation about the aircraft, a user called spacenavy90 wrote that he found something "interesting" during his research about AMRAAM missiles for the F-16. He proved this by attaching a document that contained export-restricted data.
[...] This is a familiar phenomenon for the War Thunder forums. Schematics for the Challenger 2 tank extracted from its Army Equipment Support Publication (AESP) were posted in 2021. This was followed a few months later by another leaked document, this one on the French Leclerc Main Battle Tank and its variants, prompting Gaijin to warn users against the practice as the team didn't want to "end up chained at the bottom of a disguised CIA cargo ship in international waters." The warning was ignored—classified documents relating to Chinese tanks were posted to the forum last year.
These documents are usually posted to win arguments. But even those that have been declassified fall under the jurisdiction of the International Traffic in Arms Regulations (ITAR), which limits the disclosure of US weapons data. One has to wonder if proving you're correct is worth a potential ten-year prison sentence.
An opinion piece but some pretty good advice here. Below is a sub-sample of "20 years of software distilled down into 20 pithy pieces":
1. I still don't know very much
"How can you not know what BGP is?" "You've never heard of Rust?" Most of us have heard these kinds of statements, probably too often. The reason many of us love software is because we are lifelong learners, and in software no matter which direction you look, there are wide vistas of knowledge going off in every direction and expanding by the day. [...] The sooner you realize this, the sooner you can start to shed your imposter syndrome and instead delight in learning from and teaching others.
2. The hardest part of software is building the right thing
I know this is cliche at this point, but the reason most software engineers don't believe it is because they think it devalues their work. Personally I think that is nonsense. Instead it highlights the complexity and irrationality of the environments in which we have to work, which compounds our challenges.
4. The best code is no code, or code you don't have to maintain
[...] Engineering teams are apt to want to reinvent the wheel, when lots of wheels already exist. This is a balancing act, there are lots of reasons to grow your own, but beware of toxic "Not Invented Here" syndrome.
8. Every system eventually sucks, get over it
Bjarne Stroustrup has a quote that goes "There are only two kinds of languages: the ones people complain about and the ones nobody uses". This can be extended to large systems as well. [...]
12. People don't really want innovation
People talk about innovation a whole lot, but what they are usually looking for is cheap wins and novelty. If you truly innovate, and change the way that people have to do things, expect mostly negative feedback. If you believe in what you're doing, and know it will really improve things, then brace yourself for a long battle.
18. Software engineers, like all humans, need to feel ownership
[...] Give a group of passionate people complete ownership over designing, building, and delivering a piece of software (or anything really) and amazing things will happen.
19. Interviews are almost worthless for telling how good of a team member someone will be
[...] No one is going to tell you in an interview that they are going to be unreliable, abusive, pompous, or never show up to meetings on time. People might claim they have "signals" for these things... "if they ask about time off in the first interview then they are never going to be there!" But these are all bullshit. If you're using signals like these you're just guessing and turning away good candidates.
20. Always strive to build a smaller system
There are a lot of forces that will push you to build the bigger system up-front. Budget allocation, the inability to decide which features should be cut, the desire to deliver the "best version" of a system. All of these things push us very forcefully towards building too much. You should fight this.[...]
Video game developers and cancer researchers have teamed up to turn spreadsheet data into highly detailed VR imagery of cancer cells:
Virtual reality software has become an unlikely tool in the fight against cancer.
In a bid to help doctors better understand how to treat cancer, video game designers and cancer researchers have teamed up at the University of Cambridge, England, to turn spreadsheet data into highly detailed VR imagery of cancer cells, ITV reports(Opens in a new window).
The university's IMAXT Laboratory has transformed brain-crunching numbers and data into an interactive 3D picture of a tumor that makes it easy for researchers to differentiate between cancer cells, as each type of cell is colored or shaped differently.
With the help of a VR headset, doctors and researchers can essentially step inside patients' tumors, making it easier to assess the severity and origin of the cancer cells. The aim of the tool, its makers say, is to give a better insight into how tumors can be treated.
Originally spotted on The Eponymous Pickle.
I couldn't find any stories on this leak, except from Schneier on Security:
Cellebrite is the global leader in partnering with public and private organizations to transform how they manage Digital Intelligence in investigations to protect and save lives, accelerate justice and ensure data privacy. Schneier is a bit more cynical:
Cellebrite is cyberweapons arms manufacturer that sells smartphone forensic software to governments around the world.
MSAB is a world leader in forensic technology for extracting and analyzing data in seized mobile devices.
One of the key dogmas the copyright industry fights hard to impose on the world is that copyright should trump all other considerations, and in all situations. For its supporters, copyright should even be placed above basic human rights, if ever a clash arises between them. For the most part, legislators and judges have allowed this distorted viewpoint to be spread unchallenged, as Walled Culture noted with regret in November last year. That fact makes the following news from Finland, reported by Benjamin White on the site of the Association of European Research Libraries (LIBER), important:
In October 2022 we witnessed a significant development in Finland, with the Parliament's Constitutional Law Committee concluding that the government's draft implementation of the Copyright in the Digital Single Market Directive is not in line with the Finnish constitution. In particular, the Committee found that it conflicted with human rights – namely the right to education and science under Section 16 of the Finnish Constitution.
White points out:
Academic commentators have long argued that copyright, and indeed other intellectual property rights, risk undermining fundamental rights in their application. Given the obligation on governments to make careful judgements in situations of legal conflict, fundamental rights undoubtedly provide a clear reason for limiting the scope of IP rights.
[...] The Finnish move is of particular interest for the following reason:
Until developments in the autumn of this year in the Finnish Parliament, we have been unaware of the fundamental human right to education and science being used in practice by European legislators to challenge the broadening scope of exclusive rights under copyright law.
We need other legislators and lawyers to follow the Finnish example and recognise that fundamental and universal rights matter more than the supposed sanctity of copyright, which only benefits corporations and a tiny number of "star" creators.
It was an innocuous-looking photograph that turned out to be the downfall of Zheng Xiaoqing, a former employee with energy conglomerate General Electric Power:
According to a Department of Justice (DOJ) indictment, the US citizen hid confidential files stolen from his employers in the binary code of a digital photograph of a sunset, which Mr Zheng then mailed to himself.
It was a technique called steganography, a means of hiding a data file within the code of another data file. Mr Zheng utilised it on multiple occasions to take sensitive files from GE.
[...] The information Zheng stole was related to the design and manufacture of gas and steam turbines, including turbine blades and turbine seals. Considered to be worth millions, it was sent to his accomplice in China. It would ultimately benefit the Chinese government, as well as China-based companies and universities.
Zheng was sentenced to two years in prison earlier this month. It is the latest in a series of similar cases prosecuted by US authorities. In November Chinese national Xu Yanjun, said to be a career spy, was sentenced to 20 years in prison for plotting to steal trade secrets from several US aviation and aerospace companies - including GE.
Originally spotted on Schneier on Security.
In a discovery that has repercussions for everything from domestic agricultural policy to global food security and the plans to mitigate climate change, researchers at the University of Massachusetts recently announced that the rate of soil erosion in the Midwestern US is 10 to 1,000 times greater than pre-agricultural erosion rates. These newly discovered pre-agricultural rates, which reflect the rate at which soils form, are orders of magnitude lower than the upper allowable limit of erosion set by the U.S. Department of Agriculture (USDA).
The study, which appears in the journal Geology, makes use of a rare element, beryllium-10, or 10Be, that occurs when stars in the Milky Way explode and send high-energy particles, called cosmic rays, rocketing toward Earth. When this galactic shrapnel slams into the Earth's crust, it splits oxygen in the soil apart, leaving tiny trace amounts of 10Be, which can be used to precisely determine average erosion rates over the span of thousands to millions of years.
[...] The numbers are not encouraging. "Our median pre-agricultural erosion rate across all the sites we sampled is 0.04 mm per year," says Larsen. Any modern-day erosion rate higher than that number means that soil is disappearing faster than it is accumulating.
Unfortunately, the USDA's current limit for erosion is 1 mm per year—twenty-five times greater than the average rate Larsen's team found. And some sites are experiencing far greater erosion, disappearing at 1,000 times the natural rate. This means that the USDA's current guidelines will inevitably lead to rapid loss of topsoil.
[...] Yet, there's no reason to despair. "There are agricultural practices, such as no-till farming, that we know how to do and we know greatly reduce erosion," says Quarrier. "The key is to reduce our current erosion rates to natural levels," adds Larsen.
Caroline L. Quarrier, Jeffrey S. Kwang, Brendon J. Quirk, et al.; Pre-agricultural soil erosion rates in the midwestern United States. Geology 2022;; 51 (1): 44–48. doi: https://doi.org/10.1130/G50667.1