Education

40,000 Chromebooks and 9,600 iPads Went Missing At Chicago Public Schools During COVID (suntimes.com) 90

theodp shares a report from Chicago Sun-Times, written by Frank Main: When the school system [Chicago Public Schools] shifted to having students learn remotely in the spring of 2020 near the beginning of the pandemic, it lent students iPads, MacBooks and Windows computer devices so they could do school work and attend virtual classes from home. CPS then spent about $165 million to buy Chromebook desktop computers so that every student from kindergarten through senior year in high school who needed a computer could have one. Students borrowed 161,100 Chromebooks in September 2020. By June 2021, more than 210,000 of those devices had been given out. Of them, nearly 40,000 Chromebooks have been reported lost -- nearly a fifth of those that were lent.

"Schools have made repeated efforts to recover the lost devices from families without success," according to a written statement from CPS officials in response to questions about the missing school property. Also missing are more than 9,600 iPads, 114 televisions, 1,680 printers and 1,127 audiovisual projectors, among many other items. Officials say CPS has bought new computer devices to replace the missing ones.
Longtime Slashdot reader theodp notes that "there were 340,658 students enrolled in the Chicago Public Schools (CPS) at the start of the 2020-2021 school year."
Wikipedia

Russians Are Racing To Download Wikipedia Before It Gets Banned (slate.com) 61

An anonymous reader quotes a report from Slate.com: On March 1, after a week of horror in Ukraine, reports came out that Russia's censorship office had threatened to block Russian Wikipedia. A 32-year-old who asked to be called Alexander soon made a plan to download a local copy of Russian-language Wikipedia to keep with him in eastern Russia. "I did it just in case," he told me over Instagram Messenger before sharing that he and his wife are "working on moving to another country" with their two dogs, Prime and Shaggy. (Instagram has been blocked in Russia, but many continue to access it using virtual private networks. On Monday, the Russian government officially declared Facebook and Instagram "extremist organizations.")

Alexander wasn't the only Russian citizen to make a local copy of Wikipedia. Data suggests that after the threats of censorship, Russians started torrenting Wikipedia in droves. Currently, Russia is the country with the most Wikipedia downloads—by a landslide. Before the invasion, it rarely broke the top 10, but after the Feb. 24 invasion of Ukraine, it has kept a solid hold on first place. The 29-gigabyte file that contains a downloadable Russian-language Wikipedia was downloaded a whopping 105,889 times during the first half of March, which is a more than 4,000 percent increase compared with the first half of January. According to Stephane Coillet-Matillon, who leads Kiwix, the organization that facilitates these downloads, Russian downloads now constitute 42 percent of all traffic on Kiwix servers, up from just 2 percent in 2021. "We had something similar back in 2017 when Turkey blocked Wikipedia," he said, "but this one is just another dimension."
"Wikipedia routinely makes a dump of its databases available publicly, which Kiwix compresses into an archive so it can be more easily shared," adds Slate. "The entirety of English Wikipedia, from 'List of Informally Named Dinosaurs' to 'Floor' to 'Skunks as Pets' and everything in between, is 87 GB with pictures or 47 GB without. Russian-language Wikipedia is even smaller, continuing 1.8 million articles compared with English Wikipedia's 6.4 million."
Twitter

The New Silent Majority: People Who Don't Tweet (axios.com) 128

An anonymous reader quotes a report from Axios, written by Erica Pandey and Mike Allen: The rising power and prominence of the nation's loudest, meanest voices obscures what most of us personally experience: Most people are sane and generous -- and too busy to tweet. It turns out, you're right. We dug into the data and found that, in fact, most Americans are friendly, donate time or money, and would help you shovel your snow. They are busy, normal and mostly silent. These aren't the people with big Twitter followings or cable-news contracts -- and they don't try to pick fights at school board meetings. So the people who get the clicks and the coverage distort our true reality.

Three stats we find reassuring:

1. 75% of people in the U.S. never tweet.
2. On an average weeknight in January, just 1% of U.S. adults watched primetime Fox News (2.2 million). 0.5% tuned into MSNBC (1.15 million).
3. Nearly three times more Americans (56%) donated to charities during the pandemic than typically give money to politicians and parties (21%).
The report also highlights a Gallup 2021 poll, showing that 42% of Americans identified as independents.
Data Storage

Backblaze Has Released Their First Drive Stats Report For SSDs (backblaze.com) 32

Backblaze has published its first SSD edition of the Drive Stats report. A Slashdot reader writes: This edition focuses exclusively on their SSDs as opposed to their quarterly and annual Drive Stats reports which, until last year, focused exclusively on HDDs. Initially they expect to publish the SSD edition twice a year, although that could change depending on its value to readers. They'll continue to publish the HDD Drive Stats reports quarterly. It's an interesting look at SSD reliability in a commercial environment and may be useful to anyone wondering what drive they should (or shouldn't) consider for their own deployment.
Firefox

With Growing Revenue But Slipping Market Share - Is Firefox Okay? 242

Industry analysts and former Mozilla employees are concerned about Firefox's future, reports Ars Technica, warning that the ultimate fate of Firefox "has larger implications for the web as a whole." Since its release in 2008, [Google's] Chrome has become synonymous with the web: it's used by around 65 percent of everyone online and has a huge influence on how people experience the Internet. When Google launched its AMP publishing standard, websites jumped to implement it. Similar plans to replace third-party cookies in Chrome — a move that will impact millions of marketers and publishers — are shaped in Google's image.

"Chrome has won the desktop browser war," says one former Firefox staff member, who worked on browser development at Mozilla but does not want to be named, as they still work in the industry. Their hopes for a Firefox revival are not high. "It's not super reasonable for Firefox to expect to win back even any browser share at this point." Another former Mozilla employee, who also asked not to be named for fear of career repercussions, says: "They're just going to have to accept the reality that Firefox is not going to come back from the ashes...."

Mozilla's financial declarations from 2020 said that despite the layoffs it is in a healthy place, and it expects its financial results for 2021 to show revenue growth. However, Mozilla and Firefox acknowledge that for its long-term future it needs to diversify the ways it makes money. These efforts have ramped up since 2019. The company owns read-it-later service Pocket, which includes a paid premium subscription service. It has also launched two similar VPN-style products that people can subscribe to. And the company is pushing more into advertising as well, placing ads on new tabs that are opened in the Firefox browser.... Selena Deckelmann, senior vice president of Firefox, says Firefox is likely to continue looking for ways to keep personalizing people's online browsing. "I'm not sure that what's going to come out of that is going to be what people traditionally expect from a browser, but the intention will always be to put people first," she says. Just this week, Firefox announced a partnership with Disney — linked to a new Pixar film — that involves changing the color of the browser and ads to win subscriptions to Disney+. The deal speaks both to Firefox's personalization push and the strange roads its search for revenue streams can lead down.

Deckelmann adds that Firefox doesn't need to be as big as Chrome or Apple's Safari, the second largest browser, to succeed. "All we really want is to be a viable choice," Deckelmann says. "Because we think that this makes a better Internet for everybody to have these different options."

Interesting stats from the article:
  • Next year, Firefox's "lucrative search deal with Google — responsible for the vast majority of its revenue" — is set to expire.
Operating Systems

Raspberry Pi Bootloader Enables OS Installs With No Separate PC Required (arstechnica.com) 63

An anonymous reader quotes a report from Ars Technica: Setting up a Raspberry Pi board has always required a second computer, which is used to flash your operating system of choice to an SD card so your Pi can boot. But the Pi Foundation is working on a new version of its bootloader that could connect an OS-less Pi board directly to the Internet, allowing it to download and install the official Raspberry Pi OS to a blank SD card without requiring another computer. To test the networked booting feature, you'll need to use the Pi Imager on a separate computer to copy an updater for the bootloader over to an SD card -- Pi firmware updates are normally installed along with new OS updates rather than separately, but since this is still in testing, it requires extra steps.

Once it's installed, there are a number of conditions that have to be met for network booting to work. It only works on Pi 4 boards (and Pi 4-derived devices, like the Pi 400 computer) that have both a keyboard and an Ethernet cable connected. If you already have an SD card or USB drive with a bootable OS connected, the Pi will boot from those as it normally does so it doesn't slow down the regular boot process. And you'll be limited to the OS image selection in the official Pi imager, though this covers a wide range of popular distributions, including Ubuntu, LibreELEC, a couple of retro-gaming emulation OSes, and Homebridge. For other OSes, downloading the image on a separate PC and installing it to an SD card manually is still the best way to go.
To learn more about installing the bootloader or download the Pi OS over a network, you can view the Raspberry Pi Foundation's documentation here.
Games

Unity Games Make Up Nearly Half of Steam Deck Verified List (neowin.net) 21

"Steam Deck Verified list is ramping up!" writes Slashdot reader segaboy81, sharing a breakdown of some notable stats via a Neowin article: As of this writing, there are 136 Steam Deck Verified titles, which will alone give Steam Deck the largest launch library of any console, ever. In fact, at this time yesterday the Steam Deck Verified list was at 99 titles. This means there has been over a 30% jump in verified titles overnight. Let's look at the breakdown.

Of the 136 verified titles, 64 of them were developed with Unity. That could be an indication of how popular the engine is, but in all of Steam there are 26,142 titles that use it, out of 110,014. That's less than a quarter of all titles. But what about publishers? Square Enix tops this list and the top developers list, but not by a lot. Of the verified games, nine are published by Square, while five are published and developed by them. Among those titles is the awesome Power Wash simulator, which has a whopping 95.26% user rating.
Neowin also notes that 48 of the verified titles "have been released since 2021" and over a third "have been released within the last 14 months."
Government

Not Just the IRS - 20 US Agencies Are Already Set Up For Selfie IDs (wired.com) 70

America's Internal Revenue Service created an uproar with early plans to require live-video-feed selfies to verify identities for online tax services (via an outside company called ID.me).

But Wired points out that more than 20 U.S. federal agencies are already using a digital identification system (named Login.gov and built on services from LexisNexis) that "can use selfies for account verification."

It's run by America's General Services Administration, or GSA.... The GSA's director of technology transformation services Dave Zvenyach says facial recognition is being tested for fairness and accessibility and not yet used when people access government services through Login.gov. The GSA's administrator said last year that 30 million citizens have Login.gov accounts and that it expects the number to grow significantly as more agencies adopt the system.

"ID.me is supplying something many governments ask for and require companies to do," says Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions. Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's to establish digital identities used to access government services. Many international security standards are broadly in line with those of the U.S., written by the National Institute of Standards and Technology (NIST).

Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services....

In fact, Wired argues that in many cases, a selfie or biometric data is virtually required by U.S. federal security guidelines from 2017: NIST's 2017 standard says that access to systems that can leak sensitive data or harm public programs should require verifying a person's identity by comparing them to a photo — either remotely or in person — or using biometrics such as a fingerprint scanner. It says that a remote check can be done either by video with a trained agent, or using software that checks for an ID's authenticity and the "liveness" of a person's photo or video.... California's Employment Development Department said that ID.me blocked more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

Caitlin Seeley George, director of campaigns and operations with nonprofit Fight for the Future, says ID.me uses the specter of fraud to sell technology that locks out vulnerable people and creates a stockpile of highly sensitive data that itself will be targeted by criminals. ...

Microsoft

Windows 11 is Getting Android Apps, Taskbar Improvements, and More Next Month (theverge.com) 73

Microsoft is planning to launch a public preview of its Android apps for Windows 11 next month, alongside some taskbar improvements and redesigned Notepad and Media Player apps. Windows chief Panos Panay outlined the upcoming changes to Windows 11 in a blog post today, and they appear to be part of Windows 11's first big update. From a report: The taskbar improvements include a mute and unmute feature and likely the ability to show a clock on secondary monitors. Both were missing at the launch of Windows 11, but Microsoft is still working on improving the taskbar further to bring back missing functionality like drag and drop. The upcoming Windows 11 next month will also include the weather widget returning to the taskbar, something Microsoft started testing last month. Microsoft is also redesigning its Notepad and Media Player apps, and both include dark modes and design tweaks that more closely match Windows 11.

The big new addition will be Android apps on Windows 11, though. Panay says this will be a "public preview," indicating that the feature will still be in beta when it's widely available next month. Microsoft first started testing Android apps on Windows 11 with testers in October, and the feature allows you to install a limited number of apps from Amazon's Appstore. There are a variety of workarounds to get Google Play Store running on Windows 11, but Microsoft isn't officially supporting this. Panay also shared a variety of stats about how important Windows has become over the past couple of years. Windows 10 and Windows 11 now run on 1.4 billion devices each month, and the PC market has experienced strong growth throughout the pandemic.

Security

Linux Malware Sees 35% Growth During 2021 (bleepingcomputer.com) 71

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for DDoS (distributed denial of service) attacks. BleepingComputer reports: A Crowdstrike report looking into the attack data from 2021 summarizes the following:

- In 2021, there was a 35% rise in malware targeting Linux systems compared to 2020.
- XorDDoS, Mirai, and Mozi were the most prevalent families, accounting for 22% of all Linux-targeting malware attacks observed in 2021.
- Mozi, in particular, had explosive growth in its activity, with ten times more samples circulating in the wild the year that passed compared to the previous one.
- XorDDoS also had a notable year-over-year increase of 123%.
[...]
The Crowstrike findings aren't surprising as they confirm an ongoing trend that emerged in previous years. For example, an Intezer report analyzing 2020 stats found that Linux malware families increased by 40% in 2020 compared to the previous year. In the first six months of 2020, a steep rise of 500% in Golang malware was recorded, showing that malware authors were looking for ways to make their code run on multiple platforms. This programming, and by extension, targeting trend, has already been confirmed in early 2022 cases and is likely to continue unabated.

NASA

NASA's Next-Generation Asteroid Impact Monitoring System Goes Online (nasa.gov) 11

"To date, nearly 28,000 near-Earth asteroids have been found by survey telescopes that continually scan the night sky, adding new discoveries at a rate of about 3,000 per year..." according to an article from NASA:

"The first version of Sentry was a very capable system that was in operation for almost 20 years," said Javier Roa Vicens, who led the development of Sentry-II while working at JPL as a navigation engineer and recently moved to SpaceX. "It was based on some very smart mathematics: In under an hour, you could reliably get the impact probability for a newly discovered asteroid over the next 100 years — an incredible feat."
But RockDoctor (Slashdot reader #15,477), summarizes some new changes: For nearly 20 years, newly discovered asteroids had orbital predictions processed by a system called "Sentry", resulting in quick estimates on the impact risk they represent with Earth. Generally this has worked well, but several things in the future required updates, and a new system adds a number of useful features too.

The coming wave of big survey telescopes which will check the whole sky every few days is going to greatly increase the number of discoveries. That requires streamlining of the overall system to improve processing speed. The new system can also automatically incorporate factors which previously required manual intervention to calculate, particularly the effect of asteroid rotation creating non-gravitational forces on a new discovery's future orbit. Objects like asteroid Bennu (recently subject of a sampling mission) had significant uncertainty on their future path because of these effects. That doesn't mean that Bennu can possibly hit us in the next few centuries, but it became harder to say over the next few millennia. As NASA puts it:

Popular culture often depicts asteroids as chaotic objects that zoom haphazardly around our solar system, changing course unpredictably and threatening our planet without a moment's notice. This is not the reality. Asteroids are extremely predictable celestial bodies that obey the laws of physics and follow knowable orbital paths around the Sun.

But sometimes, those paths can come very close to Earth's future position and, because of small uncertainties in the asteroids' positions, a future Earth impact cannot be completely ruled out. So, astronomers use sophisticated impact monitoring software to automatically calculate the impact risk....

[T]he researchers have made the impact monitoring system more robust, enabling NASA to confidently assess all potential impacts with odds as low as a few chances in 10 million.



The article includes videos explaining the future uncertainties on the orbits of potentially hazardous asteroids Bennu and Apophis.

Games

How a Dream Job Streaming on Twitch Can Become a Burnout Nightmare (theguardian.com) 136

"Streamers are not really known for hard partying..." writes the Guardian's videogames editor, after meeting the up-and-coming stars of Twitch.

"I was instead astonished — and, honestly, worried — by how hard they worked." The woman sitting next to me told me that she streams for eight to 10 hours every day, and when she wasn't live she was curating her social media, responding to fans, scouting for brand partnerships or collaborations with other streamers; throughout our conversation she was visibly resisting the impulse to check her phone, where new stats and fan comments and potential opportunities were presumably stacking up. I asked what she does for fun and she seemed genuinely confused by the question.

Playing video games for an audience for a living sounds like fun — and hell, there are many worse jobs out there — but it is also an ultra-competitive profession that attracts millions of aspiring kids with limitless energy and absolutely no concept of work-life balance. It involves extreme hours and intense pressure to be constantly available to the audience of viewers on whom they depend. And according to recently leaked Twitch data, the top 1% of streamers on its platform received more than half of the $889m (£660m) it paid out to creators last year; three quarters of the rest made $120 (£89) or less. Millions made nothing at all.

I was not surprised, over the following years, to read story after story about these energetic young people — with what must have seemed like the best job in the world — burning out. When you are broadcasting yourself so much of the time, when your hobby becomes your job and your job becomes your hobby, and when your personality becomes your brand and your brand becomes your personality, what does life offline look like for you? Who are you when the camera is off? The fact is that, especially for up-and-coming streamers trying to make it in the crowded world of playing video games on the internet, the camera is almost never off. Sticking to a regular schedule is the best way to build an audience on Twitch, and those schedules regularly involve at least eight hours of continuous streaming, five days a week or more... The reasons for these ultra-demanding hours are simple: the more you broadcast, the greater your chances of being featured on Twitch's homepage, the more followers you accrue, and the more money you might eventually make.

The article acknowledges that among Twitch streamers, "tens of thousands of creators make at least a livable wage.

"It is no wonder, then, that many streamers end up obsessed with the numbers and graphs and invisible algorithms that determine their fate."
Hardware

D-Wave Announces New Hardware, Compiler, and Plans For Quantum Computing (arstechnica.com) 23

On Tuesday, D-Wave released its roadmap for upcoming processors and software for its quantum annealers. The company is also announcing that it's going to be developing its own gate-based hardware, which it will offer in parallel with the quantum annealer. Ars Technica's John Timmer talked with company CEO Alan Baratz to understand all the announcements. An anonymous reader shares an excerpt from the report: The simplest part of the announcement to understand is what's happening with D-Wave's quantum-annealing processor. The current processor, called Advantage, has 5,000 qubits and 40,000 connections among them. These connections play a major role in the chip's performance as, if a direct connection between two qubits can't be established, others have to be used to act as a bridge, resulting in a lower effective qubit count. Starting this week, users of D-Wave's cloud service will have access to an updated version of Advantage. The qubit and connection stats will remain the same, but the device will be less influenced by noise in the system (in technical terms, its qubits will maintain their coherence longer). [...] Further out in the future is the follow-on system, Advantage 2, which is expected late next year or the year after. This will see another boost to the qubit count, going up to somewhere above 7,000. But the connectivity would go up considerably as well, with D-Wave targeting 20 connections per qubit.

D-Wave provides a set of developer tools it calls Ocean. In previous iterations, Ocean has allowed people to step back from directly controlling the hardware; instead, if a problem could be expressed as a quadratic unconstrained binary optimization (QUBO), Ocean could produce the commands needed to handle all the hardware configuration and run the problem on the optimizer. D-Wave referred to this as a hybrid problem solver, since Ocean would use classical computing to optimize the QUBO prior to execution. The only problem is that not everyone who might be interested in trying D-Wave hardware knows how to express their problem as a QUBO. So, the new version of Ocean will allow an additional layer of abstraction by allowing problems to be sent to the system in the format typically used by people who tend to solve these sorts of problems. "You will now be able to specify problems in the language that data scientists and data analysts understand," Baratz promised.

The biggest part of today's announcement, however, may be that D-Wave intends to also build gate-based hardware. Baratz explained that he thinks that optimization is likely to remain a valid approach, pointing to a draft publication that shows that structuring some optimization problems for gate-based hardware may be so computationally expensive that it would offset any gains the quantum hardware could provide. But it's also clear that gate-based hardware can solve an array of problems that a quantum annealer can't. He also argued that D-Wave has solved a number of problems that are currently limiting advances in gate-based hardware that uses electronic qubits called transmons. These include the amount and size of the hardware that's needed to send control signals to the qubits and the ability to pack qubits in densely enough so that they're easy to connect but not close enough that they start to interfere with each other. One of the problems D-Wave faces, however, is that the qubits it uses for its annealer aren't useful for gate-based systems. While they're based on the same bit of hardware (the Josephson junction), the annealer's qubits can only be set as up or down. A gate-based qubit needs to allow manipulations in three dimensions. So, the company is going to try building flux qubits, which also rely on Josephson junctions but use them in a different way. So, at least some of the company's engineering expertise should still apply.

China

World's Biggest Wind Turbine Shows the Disproportionate Power of Scale (newatlas.com) 201

China's MingYang Smart Energy has announced an offshore wind turbine even bigger than GE's monstrous Haliade-X. From a report: The MySE 16.0-242 is a 16-megawatt, 242-meter-tall (794-ft) behemoth capable of powering 20,000 homes per unit over a 25-year service life. The stats on these renewable-energy colossi are getting pretty crazy. When MingYang's new turbine first spins up in prototype form next year, its three 118-m (387-ft) blades will sweep a 46,000-sq-m (495,140-sq-ft) area bigger than six soccer fields. Every year, each one expected to generate 80 GWh of electricity. That's 45 percent more than the company's MySE 11.0-203, from just a 19 percent increase in diameter. No wonder these things keep getting bigger; the bigger they get, the better they seem to work, and the fewer expensive installation projects need to be undertaken to develop the same capacity.
Firefox

Firefox Lost Almost 50 Million Users In 3 Years (itsfoss.com) 247

An anonymous reader quotes a report from It's FOSS, written by Ankush Das: Mozilla's Firefox is the only popular alternative to Chromium-based browsers. It has been the default choice for Linux users and privacy-conscious users across every platform. However, even with all benefits as one of the best web browsers around, it is losing its grip for the past few years. I came across a Reddit thread by u/nixcraft, which highlighted more details on the decline in the userbase of Firefox since 2018. And surprisingly, the original source for this information is Firefox's Public Data Report.

As per the official stats, the reported number of active (monthly) users was about 244 million at the end of 2018. And, it seems to have declined to 198 million at the end of Q2 2021. So, that makes it a whopping ~46 million decline in the userbase. Considering 2021 is the year when privacy-focused tools saw a big boost in their userbase, Mozilla's Firefox is looking at a constant decline. Especially when Firefox manages to introduce some industry-first privacy practices. Quite the irony, eh?
Just for fun, here's a timeline of our stories reporting on Firefox's download milestones from the mid-2000s:

September 19, 2004: 1 Million Firefoxes in 4 Days
December 12, 2004: Firefox Reaches 10 Million Downloads
February 17, 2005: Firefox Breaks 25 Million Downloads
April 26, 2005: Firefox nears 50 Million Downloads
July 29, 2005: Firefox Downloads Reach 75 Million
October 19, 2005: Firefox Tops 100 Million Downloads
September 11, 2007: Firefox Hits 400 Million Downloads
July 3, 2008: Firefox Breaks 8 Million, Gets Into Guinness
Security

Software Downloaded 30,000 Times From PyPI Ransacked Developers' Machines (arstechnica.com) 26

Open source packages downloaded an estimated 30,000 times from the PyPI open source repository contained malicious code that surreptitiously stole credit card data and login credentials and injected malicious code on infected machines, researchers said on Thursday. Ars Technica reports: In a post, researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe of devops software vendor JFrog said they recently found eight packages in PyPI that carried out a range of malicious activity. Based on searches on https://pepy.tech, a site that provides download stats for Python packages, the researchers estimate the malicious packages were downloaded about 30,000 times. [...] Different packages from Thursday's haul carried out different kinds of nefarious activities. Six of them had three payloads, one for harvesting authentication cookies for Discord accounts, a second for extracting any passwords or payment card data stored by browsers, and the third for gathering information about the infected PC, such as IP addresses, computer name, and user name. The remaining two packages had malware that tries to connect to an attacker-designated IP address on TCP port 9009, and to then execute whatever Python code is available from the socket. It's not now known what the IP address was or if there was malware hosted on it.

Like most novice Python malware, the packages used only a simple obfuscation such as from Base64 encoders. Karas told me that the first six packages had the ability to infect the developer computer but couldn't taint the code developers wrote with malware. "For both the pytagora and pytagora2 packages, which allows code execution on the machine they were installed, this would be possible." he said in a direct message. "After infecting the development machine, they would allow code execution and then a payload could be downloaded by the attacker that would modify the software projects under development. However, we don't have evidence that this was actually done."

Links

What That Google Drive 'Security Update' Message Means (arstechnica.com) 9

An anonymous reader quotes a report from Ars Technica: A security update will be applied to Drive," Google's weird new email reads. If you visit drive.google.com, you'll also see a message saying, "On September 13, 2021, a security update will be applied to some of your files." You can even see a list of the affected files, which have all gotten an unspecified "security update." So what is this all about? Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a "get link" option (where anyone with the link can access the file). The "get link" option works the same way as unlisted YouTube videos -- it's not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn't affect links you've shared in the past, and soon Google is going to require your old links to change, which can break them. Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess. If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you'll see a button on the right to remove or apply the security update. "Applied" means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while "removed" means the resourcekey isn't required and any links out there should keep working.
YouTube is also making similar changes. "In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven't shared the link with them," says YouTube in a support page.

YouTube creators can decide to opt out of this change. They also have the option of making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats.
Government

California Approves a Targeted State-Funded Guaranteed Income Program (cnbc.com) 130

Thursday's California's lawmakers approved America's first state-funded guaranteed income program for both qualifying young adults who have recently left foster care and for pregnant women, reports CNBC. The votes — 36-0 in the Senate and 64-0 in the Assembly — showed bipartisan support for an idea that is gaining momentum across the country. Dozens of local programs have sprung up in recent years, including some that have been privately funded, making it easier for elected officials to sell the public on the idea. California's plan is taxpayer-funded, and could spur other states to follow its lead.

"If you look at the stats for our foster youth, they are devastating," Senate Republican Leader Scott Wilk said. "We should be doing all we can to lift these young people up."

Local governments and organizations will apply for the money and run their programs. The state Department of Social Services will decide who gets funding. California lawmakers left it up to local officials to determine the size of the monthly payments, which generally range from $500 to $1,000 in existing programs around the country. The vote came on the same day millions of parents began receiving their first monthly payments under a temporary expansion of the federal child tax credit many view as a form of guaranteed income. "Now there is momentum, things are moving quickly," said Michael Tubbs, an advisor to California governor Gavin Newsom, who was a trailblazer when he instituted a guaranteed income program as mayor of Stockton. "The next stop is the federal government."

The Courts

Reddit Orders 'SaveVideo' Bot To Shut Down Or Face Lawsuit (torrentfreak.com) 44

An anonymous reader quotes a report from TorrentFreak: u/SaveVideo was a Reddit video downloader bot that helped users download and save videos from Reddit. The service was used by millions of people but according to its operator has now shut down following an ultimatum from Reddit. "The gods of Reddit have decided and I am obliged to obey or risk a lawsuit," SaveVideo announced yesterday. 'SaveVideo' (which operates from the RedditSave.com domain) is a decently sized operation by any standards. SimilarWeb stats indicate that since the start of the year, RedditSave.com has attracted a steady 10 million visitors per month. But now, however, the show is over. "It has been a great pleasure to serve you all in the past few months. However, as they say, All good things must come to an end," its operator writes. "The gods of reddit have reached out to us. They do not want us to continue this service any longer."

The operator of the bot service says they have complied and as a result, the SaveVideo and RedditSave bots have been shut down. What is more surprising is that this doesn't appear to have been a simple request from Reddit but one that was supported by the threat of legal action. "The gods of reddit have decided and I am obliged to obey or risk a lawsuit," the bots' operator explains. Most Reddit users commenting on the shutdown are taking the stance that it is Reddit's admins who have threatened legal action but the announcement certainly leaves room for other scenarios too, including repeated complaints from copyright holders. [...] Reddit has no official comment at this stage but has informed TorrentFreak that it was "not responsible for whatever notice or litigation threat" received by SaveVideo.
Update: SaveVideo's operator says the downloader bot is back. "Reddit has confirmed to me that the notice did not originate from them," they added. "With that being said, I have restored all the bot/website's services back to normal." We'll see how long this lasts...
Privacy

Samsung Washing Machine App Requires Access To Your Contacts and Location (vice.com) 201

For some reason, Samsung apps designed to control internet-connected washer and dryers require "bogus," "absurd," "unacceptable," "pesky," and "awful" permissions. Motherboard reports: On Wednesday, a Reddit user complained that their washing machine app, the Samsung Smart Washer, wouldn't work "unless I give it access to my contacts, location and camera." This is a common complaint. "When I launch the app, the damned thing wants all sort of permissions: location, phone calls, media, and ... contacts??? The app won't work without these permissions," another Reddit user grumbled last year, referring to another Samsung app -- called Smart Home -- that requires the same seemingly exaggerated permissions. "Why would the Samsung Smart Home app need access to my contacts?" The reviews for these two apps, both of which have more than a million installs according to their stats on the Google Play store, aren't very positive either. The Smart Washer App has an average of 2.1 stars, thanks to a slew of reviews that mention the unnecessary permissions.

These situations speak to two issues: Apps that demand permissions that they don't need, and "smart" and internet of things devices that make formerly simple tasks very complicated, and open up potential privacy and security concerns. [...] It's unclear why apps that are designed to let you set the type of washing cycle you want, or see how long it's gonna take for the dryer to be done, would need access to your phone's contacts. In an FAQ for another Samsung app, the company says it needs access to contacts "to check if you already have a Samsung account set up in your device. Knowing this information helps mySamsung to make the sign-in process seamless."
The report recommends using a newer app called SmartThings App, "which has less invasive permission requirements compared to the older apps." The SmartThings app doesn't list any required permissions, indicating that "you can use the app without optional permissions, but some functions may be limited."

Slashdot Top Deals