Month: March 2024

Enlarge / Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.

Screenshot showing temporary suspension notification. (credit: Checkmarx)

About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.

Enlarge / One thing you can say about this crypto wallet: You can't confuse it for any other. (credit: Getty Images)

The Snap Store, where containerized Snap apps are distributed for Ubuntu's Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users' currencies. As a result, engineers at Ubuntu's parent firm are now manually reviewing apps uploaded to the store before they are available.

The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an "Exodus Wallet" app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).

Pope takes pains to note that cryptocurrency is inherently fraught with loss risk. Still, Ubuntu's App Center, which presents the Snap Store for desktop users, tagged the "Exodus" app as "Safe," and the web version of the Snap Store describes Snaps as "safe to run." While Ubuntu is describing apps as "Safe" in the sense of being an auto-updating container with runtime confinement (or "sandboxed"), a green checkmark with "Safe" next to it could be misread, especially by a newcomer to Ubuntu, Snaps, and Linux generally.

Enlarge / A billboard from the AIDS Healthcare Foundation is seen on Sunset Boulevard in Hollywood, California, on May 29, 2018, warning of a drug-resistant gonorrhea. (credit: Getty | )

Health officials have long warned that gonorrhea is becoming more and more resistant to all the antibiotic drugs we have to fight it. Last year, the US reached a grim landmark: For the first time, two unrelated people in Massachusetts were found to have gonorrhea infections with complete or reduced susceptibility to every drug in our arsenal, including the frontline drug ceftriaxone. Luckily, they were still able to be cured with high-dose injections of ceftriaxone. But, as the US Centers for Disease Control and Prevention bluntly notes: "Little now stands between us and untreatable gonorrhea."

If public health alarm bells could somehow hit a higher pitch, a study published Thursday from researchers in China would certainly accomplish it. The study surveyed gonorrhea bacterial isolates—Neisseria gonorrhoeae—from around the country and found that the prevalence of ceftriaxone-resistant isolates nearly tripled between 2017 and 2021. Ceftriaxone-resistant strains made up roughly 8 percent of the nearly 3,000 bacterial isolates collected from gonorrhea infections in 2022. That's up from just under 3 percent in 2017. The study appears in the CDC's Morbidity and Mortality Weekly Report.

While those single-digit percentages may seem low, compared to other countries they're extremely high. In the US, for instance, the prevalence of ceftriaxone-resistant strains never went above 0.2 percent between 2017 and 2021, according to the CDC. In Canada, ceftriaxone-resistance was stable at 0.6 percent between 2017 and 2021. The United Kingdom had a prevalence of 0.21 percent in 2022.

Enlarge (credit: BRENDAN SMIALOWSKI / Contributor | AFP)

The White House has announced the "first government-wide policy to mitigate risks of artificial intelligence (AI) and harness its benefits." To coordinate these efforts, every federal agency must appoint a chief AI officer with "significant expertise in AI."

Some agencies have already appointed chief AI officers, but any agency that has not must appoint a senior official over the next 60 days. If an official already appointed as a chief AI officer does not have the necessary authority to coordinate AI use in the agency, they must be granted additional authority or else a new chief AI officer must be named.

Ideal candidates, the White House recommended, might include chief information officers, chief data officers, or chief technology officers, the Office of Management and Budget (OMB) policy said.

Enlarge (credit: Proxmox)

Broadcom has made sweeping changes to VMware's business since acquiring the company in November 2023, killing off the perpetually licensed versions of VMware's software and instituting large-scale layoffs. Broadcom executives have acknowledged the "unease" that all of these changes have created among VMware's customers and partners but so far haven't been interested in backtracking.

Among the casualties of the acquisition is the free version of VMware's vSphere Hypervisor, also known as ESXi. ESXi is "bare-metal hypervisor" software, meaning that it allows users to run multiple operating systems on a single piece of hardware while still allowing those operating systems direct access to disks, GPUs, and other system resources.

One alternative to ESXi for home users and small organizations is Proxmox Virtual Environment, a Debian-based Linux operating system that provides broadly similar functionality and has the benefit of still being an actively developed product. To help jilted ESXi users, the Proxmox team has just added a new "integrated import wizard" to Proxmox that supports importing of ESXi VMs, easing the pain of migrating between platforms.

Enlarge / Being in a box doesn't mean the iPhone can't update. (credit: Apple)

Unboxing a new gadget is always a fun experience, but it's usually marred somewhat by the setup process. Either your device has been in a box for months, or it's just now launching and ships in the box with pre-release software. Either way, the first thing you have to do is connect to Wi-Fi and wait several minutes for an OS update to download and install. The issue is so common that going through a lengthy download is an expected part of buying anything that connects to the Internet.

But what if you could update the device while it's still in the box? That's the latest plan cooked up by Apple, which is close to rolling out a system that will let Apple Stores wirelessly update new iPhones while they're still in their boxes. The new system is called "Presto."

French site iGeneration has the first picture of what this setup looks like. It starts with a clearly Apple-designed silver rack that holds iPhones and has a few lights on the front. The site (through translation) calls the device a "toaster," and yes, it looks like a toaster oven or food heating rack.