Despite more than a decade of reminding, prodding, and downright nagging, a surprising number of developers still can't bring themselves to keep their code free of credentials that provide the keys to their kingdoms to anyone who takes the time to look for them.
The lapse stems from immature coding practices in which developers embed cryptographic keys, security tokens, passwords, and other forms of credentials directly into the source code they write. The credentials make it easy for the underlying program to access databases or cloud services necessary for it to work as intended. I published one such PSA in 2013 after discovering simple searches that turned up dozens of accounts that appeared to expose credentials securing computer-to-server SSH accounts. One of the credentials appeared to grant access to an account on Chromium.org, the repository that stores the source code for Google's open source browser.
In 2015, Uber learned the hard way just how damaging the practice can be. One or more developers for the ride service had embedded a unique security key into code and then shared that code on a public GitHub page. Hackers then copied the key and used it to access an internal Uber database and, from there, steal sensitive data belonging to 50,000 Uber drivers.
Uber lawyers argued at the time that "the contents of these internal database files are closely guarded by Uber," but that contention is undermined by means the company took in safeguarding the data, which was no better than stashing a house key under a door mat.
[...] Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained at least one unique secret. Many secrets were leaked more than once, bringing the total number of exposed secrets to almost 57,000.
[...] The credentials exposed provided access to a range of resources, including Microsoft Active Directory servers that provision and manage accounts in enterprise networks, OAuth servers allowing single sign-on, SSH servers, and third-party services for customer communications and cryptocurrencies. [...]
Also included in the haul were API keys for interacting with various Google Cloud services, database credentials, and tokens controlling Telegram bots, which automate processes on the messenger service. This week's report said that exposures in all three categories have steadily increased in the past year or two.
The secrets were exposed in various types of files published to PyPI. They included primary .py files, README files, and test folders.
[...] There are no good reasons to expose credentials in code. The report said the most common cause is by accident.
What do Boeing, an Australian shipping company, the world's largest bank, and one of the world's biggest law firms have in common? All four have suffered cybersecurity breaches, most likely at the hands of teenage hackers, after failing to patch a critical vulnerability that security experts have warned of for more than a month, according to a post published Monday.
[...] All four companies have confirmed succumbing to security incidents in recent days, and China's ICBC has reportedly paid an undisclosed ransom in exchange for encryption keys to data that has been unavailable ever since.
[...] After the CitrixBleed exploit grants initial remote access through software known as Virtual Desktop Infrastructure, LockBit escalates its access to other parts of the compromised network using tools such as Atera, which provides interactive PowerShell interfaces that don't trigger antivirus or endpoint detection alerts. This access remains even after CitrixBleed is patched unless administrators take special actions.
Arthur T Knackerbracket has processed the following story:
ChatGPT's recently-added Code Interpreter makes writing Python code with AI much more powerful, because it actually writes the code and then runs it for you in a sandboxed environment. Unfortunately, this sandboxed environment, which is also used to handle any spreadsheets you want ChatGPT to analyze and chart, is wide open to prompt injection attacks that exfiltrate your data.
Using a ChatGPT Plus account, which is necessary to get the new features, I was able to reproduce the exploit, which was first reported on Twitter by security researcher Johann Rehberger. It involves pasting a third-party URL into the chat window and then watching as the bot interprets instructions on the web page the same way it would commands the user entered.
[...] I tried this prompt injection exploit and some variations on it several times over a few days. It worked a lot of the time, but not always. In some chat sessions, ChatGPT would refuse to load an external web page at all, but then would do so if I launched a new chat.
In other chat sessions, it would give a message saying that it's not allowed to transmit data from files this way. And in yet other sessions, the injection would work, but rather than transmitting the data directly to http://myserver.com/data.php?mydata=[DATA], it would provide a hyperlink in its response and I would need to click that link for the data to transmit.
I was also able to use the exploit after I'd uploaded a .csv file with important data in it to use for data analysis. So this vulnerability applies not only to code you're testing but also to spreadsheets you might want ChatGPT to use for charting or summarization.
[...] The problem is that, no matter how far-fetched it might seem, this is a security hole that shouldn't be there. ChatGPT should not follow instructions that it finds on a web page, but it does and has for a long time. We reported on ChatGPT prompt injection (via YouTube videos) back in May after Rehberger himself responsibly disclosed the issue to OpenAI in April. The ability to upload files and run code in ChatGPT Plus is new (recently out of beta) but the ability to inject prompts from a URL, video or a PDF is not.
The US Federal Aviation Administration (FAA) has given SpaceX clearance to try launching the monster Starship / Super Heavy combo from the company's Boca Chica facility.
It has taken some time, at least in terms of the rapid iterative approach adopted by the company for its other vehicles. Still, SpaceX is set for another attempt seven months after April's effort.
Residing at the bottom of an FAA advisory are three possible dates for flight two of the SpaceX Starship Super Heavy. The primary date is November 17, with backup dates on November 18 and 19.
The FAA grounded SpaceX's Starship after the rocket demolished a chunk of its launchpad and scattered debris over the surrounding area. The launch was aborted a few minutes into flight, although there was a worrying delay between the red button being pushed and the tumbling rocket detonating.
YouTube video: Musk Confirms License: Starship To Launch Friday!
Update for 3 pm ET: SpaceX CEO Elon Musk says the second Starship launch is postponed to no earlier than Saturday, Nov. 18 to replace a grid fin actuator on the launch stack.
SpaceX plans to launch its Starship vehicle for the second time ever on Friday (Nov. 17), and you can watch the historic liftoff live.
SpaceX aims to launch Starship, a next-generation system designed to take people and payloads to deep space, on Friday during a two-hour window that opens at 8 a.m. EST (1300 GMT). Liftoff will occur from Starbase, the company's site in coastal South Texas.
You can watch the action here at Space.com, courtesy of SpaceX, or directly via the company. Coverage will begin at 7:30 a.m. EST (1230 GMT).
Backup launch windows run on Saturday (Nov. 18) and Sunday (Nov. 19), according to multiple media reports citing U.S. Federal Aviation Administration (FAA) advisories.
[...] Should Starship get safely into space this time, the expected 90-minute flight will see the spacecraft fly east over the Gulf of Mexico, make a partial circuit of Earth and splash down near Hawaii. Starship and Super Heavy are reusable systems, but this time SpaceX will aim for a simple splashdown in the ocean rather than landing vertically, as the first stages of SpaceX's Falcon 9 and Falcon Heavy rockets commonly do.
Technically speaking, Starship won't quite do a full orbit of the planet, but its expected flight should bring it to a near-orbital velocity of 17,500 mph (28,160 kph) at an altitude of 150 miles (250 kilometers).
Arthur T Knackerbracket has processed the following story:
A tool bag is orbiting Earth. No, this isn't an elaborate Elon Musk joke.
The bag entered orbit during a spacewalk conducted by NASA astronauts and International Space Station residents Jasmin Moghbeli and Loral O'Hara on November 1. During their almost seven-hour space stroll, during which they replaced bearings on a sun-tracking solar array and removed some communications equipment, NASA revealed the tool bag "was inadvertently lost," by one of the dynamic duo.
"Mission Control analyzed the bag's trajectory and determined that risk of recontacting the station is low and that the onboard crew and space station are safe with no action required," the space agency added.
Dr Meganne Christian, a member of the European Space Agency’s 2022 astronaut class, shared a snippet of helmet camera footage from Moghbeli's space suit showing the bag slipping away and the futile scramble to retrieve it.
But the container – a “crew lock bag” in official NASA parlance – didn’t just drift away out of human view.
Astrophysicist Jonathan McDowell of the Harvard Center for Astrophysics confirmed last week that the bag had been catalogued by the US Space Force as 58229/1998-067WC and was being tracked as a new orbital object.
The next day, Japanese ISS resident Satoshi Furukawa snapped a photo of the bag following day as the ISS passed over Japan.
According to McDowell, the bag isn't in a stable orbit, and is expected to re-enter Earth's atmosphere in a few months, when it will burn up completely and won't be a risk to anyone on the ground.
For those interested in observing the bag before it burns up in Earth's atmosphere, that just might be possible with the proper equipment and timing.
The bag's brightness is magnitude six , or just at the edge of the eye's unaided visibility limit under perfect conditions. Binoculars would make spotting it far easier. Sat-spotters seeking a sighting of the space spanners should look a few minutes ahead of the ISS’s expected path, which can be tracked online or with a recently launched mobile app.
A new study found that more than one million US deaths per year—including many young and working-age adults—could be avoided if the US had mortality rates similar to its peer nations:
In 2021, 1.1 million deaths would have been averted in the United States if the US had mortality rates similar to other wealthy nations, according to a new study led by a School of Public Health researcher.
Published in the journal PNAS Nexus, the study refers to these excess deaths as "Missing Americans," because these deaths reflect people who would still be alive if the US mortality rates were equal to its peer countries.
Comparing age-specific death rates in the U.S. and 21 other wealthy nations from 1933 through 2021, the authors find that current death rates in the US are much higher than other wealthy nations, and the number of excess U.S. deaths has never been larger.
"The number of Missing Americans in recent years is unprecedented in modern times," says study lead and corresponding author Jacob Bor, associate professor of global health and epidemiology.
Nearly 50 percent of all Missing Americans died before age 65 in 2020 and 2021. According to Bor, the level of excess mortality among working age adults is particularly stark. "Think of people you know who have passed away before reaching age 65. Statistically, half of them would still be alive if the US had the mortality rates of our peers. The US is experiencing a crisis of early death that is unique among wealthy nations."
The COVID-19 pandemic contributed to a sharp spike in mortality in the US—more so than in other countries—but the new findings show that the number of excess US deaths has been accelerating over the last four decades. Bor and colleagues analyzed trends in US deaths from 1933 to 2021, including the impact of COVID-19, and then compared these trends with age-specific mortality rates in Canada, Japan, Australia, and 18 European nations.
The US had lower mortality rates than peer countries during World War II and its aftermath. During the 1960's and 1970's, the US had mortality rates similar to other wealthy nations, but the number of Missing Americans began to increase year by year starting in the 1980's, reaching 622,534 annual excess U.S. deaths by 2019. Deaths then spiked to 1,009,467 in 2020 and 1,090,103 in 2021 during the pandemic. From 1980 to 2021, there were a total of 13.1 million Missing Americans.
[...] "We waste hundreds of billions each year on health insurers' profits and paperwork, while tens of millions can't afford medical care, healthy food, or a decent place to live," says study senior author Steffie Woolhandler, Distinguished Professor at the School of Urban Public Health at Hunter College, City University of New York. "Americans die younger than their counterparts elsewhere because when corporate profits conflict with health, our politicians side with the corporations."
[...] "The US was already experiencing more than 600,000 Missing Americans annually before the pandemic began, and that number was increasing each year. There have been no significant policy changes since then to change this trajectory," he says.
"While COVID-19 brought new attention to public health, the backlash unleashed during the pandemic has undermined trust in government and support for expansive policies to improve population health," said Bor. "This could be the most harmful long-term impact of the pandemic, because expansion of public policy to support health is exactly how our peer countries have attained higher life expectancy and better health outcomes."
Jacob Bor, Andrew C Stokes, Julia Raifman, et al., Missing Americans: Early death in the United States—1933–2021, PNAS Nexus, Volume 2, Issue 6, June 2023, pgad173, https://doi.org/10.1093/pnasnexus/pgad173
Screenings are being set up this week for streamers Amazon Prime Video, Apple and Netflix to check out and potentially acquire Warner Bros' axed Looney Tunes movieCoyote vs. Acmeafter the studio's phone ran off the hook the entire weekend from angry filmmakers and talent reps over their third feature film kill after Batgirland Scoob Holiday Haunt!
The more egregious Hollywood sin with Coyote vs. Acme is that it's a finished film was intended for a theatrical release, while the other two movies were still in the works.
[...] Amazon also is a great landing pad for Coyote vs. Acme as the studio has three upcoming movies with its star John Cena: Heads of State, Ricky Stanicky and Grand Death Lotto.
Also, during a very noisy weekend for the movie on social media with Coyote vs. Acme and Gravity Oscar winning composer calling Warner Bros. "bizarre anti-art studio financial shenanigans I will never understand," some have told me that the killing of Coyote vs. Acme didn't come from WBD CEO David Zaslav himself. Rather, the blame should be set at the feet of Warner Bros. Motion Picture bosses Michael De Luca and Pam Abdy and Warner Bros. new Animation Head Bill Damaschke, who are being made the scapegoats. The motives here were to protect the Looney Tunes IP and also scrub the studio of product developed by the previous administration.
The only thing wrong with that narrative is that De Luca and Abdy never have had any previous offends of killing a previous administration's films or finished movies. Not until landing at Warner Bros. As my mother use to say, "There's no such thing as a coincidence."
[...] While Warner Bros Discovery CFO Gunnar Wiedenfels said that the media's coverage of Batgirl's cancellation was "blown out of proportion" back in September 2022, I guess he wasn't seeing or hearing the harsh criticism from the Hollywood creative community and the film's creatives and talent, both on social and by phone.
Also, what does the Coyote vs. Acme move by Warner Bros Discovery say to DC bosses Peter Safran and James Gunn? Can their movies or projects be killed at a last-minute's notice? Along with Chris DeFaria, Gunn is a producer on Coyote vs. Acme. The Guardians of the Galaxy architect was a co-scribe on the movie. We understand that the filmmaker-friendly Gunn and Safran's greenlights moving forward are bonafide and not in danger of any tax tricks.
The Looney Tunes brand isn't Harry Potter, and it's certainly not The Marvels. The brand has been turned upside down, reinvented and reset several times during the course of its 90-year-plus history at Warner Bros. Certainly a family movie that grosses between $160M-$200M worldwide wouldn't do damage to the studio, but rather play directly to the audience it's suppose to play to.
Arthur T Knackerbracket has processed the following story:
Intel's oft-delayed Aurora remains a work in progress.
The Top500 organization released its semi-annual list of the fastest supercomputers in the world, with the AMD-powered Frontier supercomputer retaining its spot at the top of the list with 1.194 Exaflop/s (EFlop/s) of performance, fending off a half-scale 585.34 Petaflop/s (PFlop/s) submission from the Argonne National Laboratory's Intel-powered Aurora supercomputer. Argonne's submission, which only employs half of the Aurora system, lands at the second spot on the Top500, unseating Japan's Fugaku as the second-fastest supercomputer in the world. Intel also made inroads with 20 new supercomputers based on its Sapphire Rapids CPUs entering the list, but AMD's EPYC continues to take over the Top500 as it now powers 140 systems on the list — a 39% year-over-year increase.
Intel and Argonne are currently still working to bring Arora fully online for users in 2024. As such, the Aurora submission represented 10,624 Intel CPUs and 31,874 Intel GPUs working in concert to deliver 585.34 PFlop/s at a total of 24.69 megawatts (MW) of energy. In contrast, AMD's Frontier holds the performance title at 1.194 EFlop/s, which is more than twice the performance of Aurora, while consuming a comparably miserly 22.70 MW of energy (yes, that's less power for the full Frontier supercomputer than half of the Aurora system). Aurora did not land on the Green500, a list of the most power-efficient supercomputers, with this submission, but Frontier continues to hold eighth place on that list.
However, Aurora is expected to eventually reach up to 2 EFlop/s of performance when it comes fully online. When complete, Auroroa will have 21,248 Xeon Max CPUs and 63,744 Max Series 'Ponte Vecchio' GPUs spread across 166 racks and 10,624 compute blades, making it the largest known single deployment of GPUs in the world. The system leverages HPE Cray EX – Intel Exascale Compute Blades and uses HPE's Slingshot-11 networking interconnect.
AMD is in the process of deploying El Capitan, which is projected to be faster than Aurora with 2 EFlop/s+ of performance, at the Lawrence Livermore National Laboratory. As such, Intel's incessantly delayed Aurora may never take the number one position on the Top500 list — the race is certainly on for the next round of Top500 submissions in June 2024.
[...] Meanwhile, Microsoft's new Eagle supercomputer, deployed in the Azure Cloud, has now taken the number three spot on the list, pushing Japan's Fugaku into fourth place on the leaderboard. Eagle is the first cloud system to break the top ten. The LUMI system in Kajaani, Finland, rounded out the top five with 379.70 PFlop/s of performance.
Arthur T Knackerbracket has processed the following story:
Google gives Apple a 36 percent cut of all search ad revenue that comes from Safari, according to University of Chicago professor Kevin Murphy. Google had fought to keep the number confidential, but Bloomberg reports that Murphy shared the figure while testifying in Google’s defense today at the Google antitrust trial.
Google has long paid to be the default search engine in Safari and other browsers like Firefox, spending $26.3 billion in 2021 alone for the privilege. $18 billion of that went to Apple, but the specifics of where the number came from remained secret until now. Google has been trying to keep such details under wraps as the trial goes on, but bits and pieces have seeped out anyway. According to Bloomberg, Google lawyer John Schmidtlein “visibly cringed when Murphy said the number.” Google declined to comment in an email to The Verge; Apple did not immediately respond to a request for comment.
Apple’s Eddy Cue defended the deal in September, saying Apple actually wanted a bigger cut of the money Google makes from Safari traffic, but the companies settled on the lower number Murphy revealed today. While specific numbers were discussed that day, they were only talked about in closed sessions, away from the ears of press.
Arthur T Knackerbracket has processed the following story:
The ongoing Google vs. Epic trial has brought out another interesting piece of information. As per testimony presented by Epic Games (via Bloomberg), Google paid Samsung $8 billion over a period of four years to keep Search, Assistant, and Play Store as default services on Samsung phones.
When questioned by Epic’s lawyers on Monday, James Kolotouros, Vice President for Partnerships at Google, said that Google struck deals with Android phone makers to ensure their devices were pre-loaded with the Google Play Store. Kolotouros testimony further revealed that Samsung’s phones and other devices account for half or more of the entire Google Play Store revenue.
In 2019, Google reportedly ran an initiative called “Project Banyan.” Under it, the company invested funds so the Google Play Store could remain on Samsung devices alongside the Galaxy Store. The company even offered to pay $200 million over four years to Samsung to make the Galaxy Store available within the Play Store, complete with its billing system. However, those plans were later scrapped, and Google reportedly signed three deals worth $8 billion with Samsung.
[...] Epic is trying to show that Google discouraged third-party app stores on Android devices by paying device makers to pre-install and make the Google Play Store the default app downloading destination. Google has been striking such deals for a long time, and they are also under scrutiny in a separate anti-trust suit brought on by the Department of Justice.
One of the most enduring mysteries within archaeology revolves around the identity of Punt, an otherworldly "land of plenty" revered by the ancient Egyptians. Punt had it all—fragrant myrrh and frankincense, precious electrum (a mixed alloy of gold and silver) and malachite, and coveted leopard skins, among other exotic luxury goods.
Despite being a trading partner for over a millennium, the ancient Egyptians never disclosed Punt's exact whereabouts except for vague descriptions of voyages along what's now the Red Sea. That could mean anywhere from southern Sudan to Somalia and even Yemen.
Now, according to a recent paper published in the journal eLife, Punt may have been the same as another legendary port city in modern-day Eritrea, known as Adulis by the Romans. The conclusion comes from a genetic analysis of a baboon that was mummified during ancient Egypt's Late Period (around 800 and 500 BCE). The genetics indicate the animal originated close to where Adulis would be known to come into existence centuries later.
[...] In 2020, a team of researchers led by Nathaniel Dominy, an anthropologist at Dartmouth College, examined radioactive isotopes of strontium and oxygen in the mummified remains of baboons dating back to the New Kingdom (1550 to 1069 BCE) and the Ptolemaic period (305 to 330 BCE). Mapping the isotopic signatures to their approximate geographies, Dominy and his colleagues discovered some of the animals weren't native to Egypt, likely hailing from somewhere in the area of Eritrea, Ethiopia, Djibouti, and Somalia.
"The strontium values, for example, like in your molar teeth, reflect where you were when you were five, six, or seven years old. You move around as an adult and you live in different places but you retain that sort of fingerprint of your early childhood in a particular region," said Dominy. "This was a cool project because we were able to show that some of those baboons spent their entire lives in Egypt, but others we could tell came from some distant place."
Since we know Egyptians obtained baboons from Punt, this helped narrow the location slightly. And it provided some leads for Gisela Kopp, an evolutionary biologist at the University of Konstanz in Germany. In the new paper, her team, which included Dominy, analyzed the mitochondrial DNA of a mummified baboon first excavated in 1905 in Egypt's Valley of the Monkeys located at Luxor's western bank of the Nile River.
[...] But the question remains: Where was Punt? Dominy and Kopp are forced to speculate a bit. They note that the specimen's origin was close to where the port city of Adulis eventually came into being, which was part of the Aksumite Empire (it's in modern-day Eritrea). They suggest the same port may have been Punt in the past.
"The beauty of this project is that the mummies we studied are older than the first account of Adulis. So what we think we can say is that Adulis must have existed a couple hundred years before the first existence that we have of its historical record," said Dominy. "That fills in the gap because Punt is no longer used by the Egyptians, and Adulis comes into play. These baboons kind of connect Punt and Adulis in time to connect those dots."
[...] "I think saying Adulis equals Punt is going too far from an archaeological standpoint," said Wegner. "I think it would lend credence to the idea that where Adulis developed in later times equates to the region the Egyptians talk about as the land of Punt. It could well be that there was something there going back that far, a coastal settlement or perhaps a substantial town. That's a possibility for archaeologists to investigate further."
Dominy and Kopp acknowledge it's a bold statement equating Punt with Adulis. But they hope their boldness guides current and future archaeological research at Adulis and anywhere else within the region, encouraging insights into how commerce catalyzed ancient Egyptian maritime technology or how human trade influenced wildlife diversity.
Maybe the most important question is yet to be answered: Why did the ancient Egyptians revere baboons? They weren't native to Egypt, and in the environments the animals shared with humans, they were considered more of a nuisance than the avatar of a sacred deity.
Franziska Grathwol, Christian Roos, Dietmar Zinner, et al. (2023) Adulis and the transshipment of baboons during classical antiquity eLife 12:e87513. doi: https://doi.org/10.7554/eLife.87513
The vast majority of dog and cat owners will say their pets enrich their lives in countless ways and bring immeasurable levels of extra happiness, but researchers from Michigan State University suggest that most pet owners may just be telling themselves what they want to hear. Their new study found that despite owners claiming pets improve their lives, researchers did not see a reliable association between pet ownership and well-being during the COVID-19 pandemic:
The pandemic was a stressful time for everyone, to put it lightly. Even the most laid-back among us found themselves overwhelmed by the lockdowns and social distancing guidelines that dominated 2020. So, the research team at MSU theorized that the pandemic represented an ideal time to study just how much comfort and happiness pets really provide to their families.
In all, the study authors assessed a total of 767 people on three separate occasions in May 2020. The research team opted to adopt a mixed-method approach that allowed them to simultaneously assess several indicators of well-being, all while also asking participants to reflect on the role of pets from their point of view in an open-ended manner. Generally, pet owners predictably reported their pets made them happy. More specifically, they said their pets helped them feel more positive emotions and provided affection and companionship.
On the other hand, the participants also articulated the dark side of pet ownership, such as worries related to their pet's well-being or having their pets interfere with working remotely.
[...] "People say that pets make them happy, but when we actually measure happiness, that doesn't appear to be the case," says William Chopik, an associate professor in MSU's Department of Psychology and co-author of the study, in a university release. "People see friends as lonely or wanting companionship, and they recommend getting a pet. But it's unlikely that it'll be as transformative as people think."
As a lifetime pet owner who's had at least a dozen dogs over the years, I take umbrage with the study's findings. My dogs are always thrilled to see me when I arrive home from a long, tiring day of work, and taking them for a walk or just being in their presence immediately lifts my spirits. And I remember the calming effect petting a cat had for my ex-wife when she was pregnant and having a bad day.
Chopik, W. J., Oh, J., Weidmann, R., et al. (2023). The Perks of Pet Ownership? The Effects of Pet Ownership on Well-Being During the COVID-19 Pandemic. Personality and Social Psychology Bulletin, 0(0). https://doi.org/10.1177/01461672231203417
Arthur T Knackerbracket has processed the following story:
Nintendo snagged the most nominations of any publisher with 15, followed by Sony (13), Microsoft (10, including Bethesda and Activision Blizzard's nods) and Epic Games (nine). There are 31 awards in total, including Best Adaptation. The nominees in that category this year are Castlevania: Nocturne, Gran Turismo, The Last of Us, The Super Mario Bros. Movie and Twisted Metal.
A bunch of deserving indies picked up nominations as well, including Cocoon, Dave the Diver, Dredge, Tchia, Viewfinder, Pizza Tower and Hello Kitty Island Adventure. Meanwhile, continuing a redemption arc after its disastrous debut three years ago, Cyberpunk 2077 2.0 and its Phantom Liberty expansion racked up four nominations in total.
Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.
Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer's machine. [...]
All eight tools used the string "pyobf" as the first five characters in an attempt to mimic genuine obfuscator tools such as pyobf2 and pyobfuscator. The other seven packages were:
While Checkmarx focused primarily on pyobfgood, the company provided a release timeline for all eight of them.
Pyobfgood installed bot functionality that worked with a Discord server identified with the string:
There was no indication of anything amiss on the infected computer. Behind the scenes, however, the malicious payload was not only intruding into some of the developer's most private moments, but silently mocking the developer in source code comments at the same time. Checkmarx explained:
The Discord bot includes a specific command to control the computer's camera. It achieves this by discreetly downloading a zip file from a remote server, extracting its contents, and running an application called WebCamImageSave.exe. This allows the bot to secretly capture a photo using the webcam. The resulting image is then sent back to the Discord channel, without leaving any evidence of its presence after deleting the downloaded files.
Among these malicious functions, the bot's malicious humor emerges through messages that ridicule the imminent destruction of the compromised machine. "Your computer is going to start burning, good luck. :)" and "Your computer is going to die now, good luck getting it back :)"
But hey, at least there is a smiley at the end of these messages.
These messages not only highlight the malicious intent but also the audacity of the attackers.
The Verge reports that Google will remove Gmail's Basic HTML view effective January 2024.
Though the vast majority of people use the Standard view on their PCs without question, the HTML version of Gmail has its perks. The stripped-down Gmail experience loads quickly, and users can access it even on older machines or with much slower connections.
The change appears to have been announced around September 19th in a Google support article, and users of the Basic HTML view were shown warnings that it will be discontinued, after which time they will be switched to the current standard view.
The removal of Gmail's basic HTML view is the latest in a long line of products, features, services, and more to be admitted to the Google graveyard. The company has also recently buried its Pixel Pass phone upgrade program, Google Currents, and Nest Secure.
Amazon has been working on an in-house replacement for its Android-based Fire OS, codenamed "Vega" and built for easier app development, according to reporting from Janko Roettgers at Lowpass.
While an Android base provides a relatively familiar entry for developers that already have Android apps, rebuilding the AOSP project—meant to support a wealth of different devices and carrying years of technical debt—seemingly became frustrating enough for Amazon to push toward an in-house solution.